Re: iptables connlimit

To: debian-security@lists.debian.org
Subject: Re: iptables connlimit
From: Adrian Minta <gygy@rdslink.ro>
Date: Tue, 8 Mar 2005 20:24:35 +0200
Message-id: <[🔎] 20050308202435.56f14a30.gygy@rdslink.ro>
In-reply-to: <[🔎] E1D8RrN-0002ud-00@calista.eckenfels.6bone.ka-ip.net>
References: <[🔎] 20050307234755.6da6e36a.gygy@rdslink.ro> <[🔎] E1D8RrN-0002ud-00@calista.eckenfels.6bone.ka-ip.net>

On Tue, 08 Mar 2005 00:42:01 +0100
Bernd Eckenfels <ecki@lina.inka.de> wrote:

> In article <[🔎] 20050307234755.6da6e36a.gygy@rdslink.ro> you wrote:
> >> >server# iptables -A INPUT -p tcp --dport 80 -m connlimit
> >--connlimit-above > >3 -j REJECT --reject-with tcp-reset
> 
> Have  you tried:
> 
> iptables -m connlimit -h 
> 
> does it show the connlimit options?
> 
> BTW: my iptables manpage knows about -m connrate  --connrate <from>:<to>,
> but it is clearly not available on my system.
> 
> Perhaps it is easiest if you strace the command. Also try to skip single
> parameters (like --reject-with tcp-reset)
> 

server# iptables -m connlimit -h 
connlimit v1.2.11 options:
[!] --connlimit-above n         match if the number of existing tcp
connections is (not) above n
 --connlimit-mask n             group hosts using mask

server#
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3 -j REJECT
iptables: No chain/target/match by that name

I use plain sarge (no patches, default kernel, default iptables)
-- 
Best regards,
Minta Adrian

Reply to:

References:
- Re: iptables connlimit
  - From: Adrian Minta <gygy@rdslink.ro>
- Re: iptables connlimit
  - From: Bernd Eckenfels <ecki@lina.inka.de>

Prev by Date: Re: TCP SYN packets which have the FIN flag set.
Next by Date: Re: iptables connlimit
Previous by thread: Re: iptables connlimit
Next by thread: Re: iptables connlimit
Index(es):
- Date
- Thread