| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> Hi!
<0> I am wondering if I can I limit the connections on a router per client
<0> The clients are quite enough to add one-by-one rule for them
<1> sque, u "might" get something like that with the state module by cl***ifying established or related packets
<2> -m connlimit
<0> yes I know connlimit
<0> but let's that you have 50 pcs at 192.168.0.0/24 and you want the router to reject all tcp connections above 500 PER CLIENT!
<0> for 1 client I would do: iptables -A FORWARD -p tcp -m connlimit --connlimit-above 500 -j REJECT --reject-with tcp-reset
<0> hmm wrong
<0> iptables -A FORWARD -p tcp -s 192.168.0.1 -m connlimit --connlimit-above 500 -j REJECT --reject-with tcp-reset
<0> let's say that we are limiting client 192.168.0.1
<0> but how can I do it for many clients? can I? or should I make a script producing one rule for each client?
<1> sque: thats why i would inspect the state module as different ips traffic can't be related to each other
<2> --connlimit-mask (this is in the man page.)
<2> sque: oh, per client, just leave OFF the --connlimit-mask and use the netmask in the -s argument.
<0> rob0, this? iptables -A FORWARD -p tcp -s 192.168.0.0/24 -m connlimit --conlimit-above 500 -j RECEJCT --reject-with tcp-reset
<0> just put subnet at source ip?
<2> Looks right to me.
<2> maybe --connlimit-mask 32
<0> damn
<0> what am I doing wrong?
<0> Connection failed. Error: No route to host
<0> * Disconnected ().
<0> * Looking up nana.irc.gr
<0> * Connecting to nana.irc.gr (194.219.155.226) port 6667...
<0> * Connection failed. Error: No route to host
<0> sry wrong paste
<0> router ~ # iptables -m connlimit --connlimit-above 500 --connlimit-mask 32 -A FORWARD -s 192.168.0.0/24 -j DROP
<0> iptables: No chain/target/match by that name
<2> is it mentioned in your man page? We just went through this with someone else, I think Debian Sarge, and it wasn't supported. "iptables -V"; not sure when connlimit was added, but I think he had 1.2.10 (and no connlimit.)
<2> It could also be that you don't have kernel support, "modprobe -v ipt_connlimit".
<0> hmm, I think I forgot to reboot the pc after the kernel recompilation :p
<0> brb
<0> rob0, what do I need in kernel for connlimit?
<0> this? CONFIG_NETFILTER_XT_MATCH_LIMIT:
<3> ah, you're using a recent 2.6 kernel
<3> no, it would have CONNLIMIT, and I think it's still the same name
<0> CONNLIMIT is not part of the kernel yet?
<3> it's still in POM
<0> i see
<0> damn never used before po'm
<0> :S
<0> I am scrared :p
<3> connlimit is in base, which means it's fairly well tested
<0> I am not scared about connlimit, but about my self putting that thing in the system :p
<3> it's fairly hard to mess up, you just need kernel sources and iptables sources, and run "runme base"
<0> I have kernel sources, I have custom compiled kernel
<0> so I only need the iptables sources? and the pom ?
<3> yes
<0> danieldg, my iptables is ready for connlimit
<0> does it need to be patched too? or can I ommit that
<0> connlimit v1.3.4 options:
<0> [!] --connlimit-above n match if the number of existing tcp connections is (not) above n
<0> --connlimit-mask n group hosts using mask
<3> no, it doesn't need to be patched, but the sources must be present
<0> damn
<3> why? just download and unpack
<0> I am afraid for version mess
<0> ok, I copied the tar from the distfiles directory :p
<0> danieldg, help help
<0> I runned ./runme base
<0> and when it prompted for connlimit I pressed Y
<0> and:
<0> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
<0> unable to find ladd slot in src /tmp/pom-7291/net/ipv4/netfilter/Makefile (./patchlets/connlimit/linux-2.6.11/./net/ipv4/netfilter/Makefile.ladd)
<0> -----------------------------------------------------------------
<0> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
<3> oh. The kernel shifted stuff around
<0> what should I do now? :S
<0> i dont have 2.6.11
<3> just a sec
<0> I have 2.6.16
<0> (it's not vanilla source, its the gentoo-sources)
<3> it's broken on any kernel which has xtables
<3> edit pom/patchlets/connlimit/linux-2.6.11/net/ipv4/netfilter/Makefile.ladd
<3> change "obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o" to "obj-$(CONFIG_IP_NF_MATCH_OWNER) += ipt_owner.o"
<4> danieldg: that doesn't look right
<3> maxine: xtables
<4> xtables is in 2.6.16, a merging of modules between IPv4 and IPv6 version of iptables. It is *not* auto-selected by make oldconfig, you need to go select it manually. It should be transparent except for badly written scripts that insist on modprobing modules manually, or bugs in module autoloading
<0> so?
<4> hmmm... so is a needle pulling thread
<0> what I should do?
<3> change the first line in that thread
<4> danieldg: that doesn't look right
<3> maxine: shut up
<4> danieldg: sorry...
<3> change the first line in that file
<4> danieldg: that doesn't look right
<0> I am ready to answer any question for my setup and usage in case it is usefull
<3> it should work after you change that file
<0> compile != work
<0> :p
<3> true
<3> ah, it may need another patch
<0> ????
<0> I already patched, selected at config, and now I am compiling kernel
<3> look at the warnings on this module
<0> CC net/ipv4/netfilter/ipt_connlimit.o
<0> net/ipv4/netfilter/ipt_connlimit.c:211: warning: initialization from incompatible pointer type
<0> net/ipv4/netfilter/ipt_connlimit.c:212: warning: initialization from incompatible pointer type
<0> only this
<3> yep. That's a problem, at least the first one
<0> (I compiled staticaly)
<3> add "unsigned int protoff," after "int offset," in the match function of net/ipv4/netfilter/ipt_connlimit.c
<0> omg
<0> too brutal patching :p
<3> well, I could make a patchfile ... ;)
<3> that would only cause a problem if you had kmalloc fail or an invalid ct state
<3> both of which shouldn't happen, but they'll fail better than accessing some random memory address
<0> match(const struct sk_buff *skb,
<0> const struct net_device *in,
<0> const struct net_device *out,
<0> const void *matchinfo,
<0> int offset,
<0> unsigned int protof,
<0> int *hotdrop)
<0> ok now?
<3> yes
<0> I think its time to select it as module...
<3> I always select everything iptables-related as a module
<0> I already have one warning
<0> net/ipv4/netfilter/ipt_connlimit.c:213: warning: initialization from incompatible pointer type
<3> what's on line 213, just curious?
<0> static struct ipt_match connlimit_match = {
<0> .name = "connlimit",
<0> .match = &match,
<0> .checkentry = &check,
<0> .destroy = &destroy,
<0> .me = THIS_MODULE
<0> };
<0> .checkentry. is 213
<3> hmm. Not sure if it's needed to change it, but it might be better
<0> change to what?
<4> sque: that doesn't look right
<0> maxine, what doens't look right?
<4> bugger all, i dunno, sque
<3> maxine: what are you
<4> i am the bot? or a pocket calculator
<0> I feel like I am in the wrong way
<0> but whatelse can I do?
<0> maxine, what are you
<4> i think i am the bot? or a pocket calculator
<0> :|
<3> http://daniel.6dns.org/misc/connlimit.patch
<3> sque: try that patch to ipt_connlimit.c
<0> I wasn't able to find the file you asked for.
<0> If you think this is a mistake on my part, email me and I'll fix it.
<0> the url
<3> oops
Return to
#iptables
or
Go to some related
logs:
libmtp win32
kubuntu moun ntfs
#gentoo
#kde
+fbxine +sources.list
debian usb non-root access plugdev
#suse
crc error cannot open root device ubuntu
#suse
#perl
|
|