recent/hitcount broken in Lenny?

To: debian-firewall@lists.debian.org
Subject: recent/hitcount broken in Lenny?
From: Guillaume Tamboise <guillaume@patoche.org>
Date: Sat, 25 Apr 2009 12:05:05 +0200
Message-id: <1240653905.8210.14.camel@pthome>

Hello,

I used to rate limit the number of incoming HTTP connections in Etch,
using these iptables statements:

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --set --name HTTP

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --update --seconds 2 --hitcount 50 --name HTTP -j LOG
--log-prefix "HTTP_DoS "

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --update --seconds 2 --hitcount 50 --name HTTP -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT


The second statement gives this in Lenny:

iptables: Invalid argument


The only way to get iptables to accept this statement is to remove the
hitcount. This works just fine:

# iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --update --seconds 2 --name HTTP -j LOG --log-prefix "HTTP_DoS "

but it does not do what I need.


Any idea?

Regards,

Guillaume Tamboise

Reply to:

Follow-Ups:
- Re: recent/hitcount broken in Lenny?
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: Re: Router does not more work under Lenny
Next by Date: Re: recent/hitcount broken in Lenny?
Previous by thread: Re: Router does not more work under Lenny
Next by thread: Re: recent/hitcount broken in Lenny?
Index(es):
- Date
- Thread