| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> oops
<0> forgot to hit enter :/
<1> :p
<1> ern how do I patch?
<1> I only know to diff :p
<0> patch < that file
<0> in net/ipv4/netfilter as current directory
<1> patching file ipt_connlimit.c
<1> Hunk #1 FAILED at 131.
<1> Hunk #2 succeeded at 164 (offset 1 line).
<1> Hunk #3 succeeded at 172 (offset 1 line).
<1> 1 out of 3 hunks FAILED -- saving rejects to file ipt_connlimit.c.rej
<0> that's because you already patched the first hunk
<1> yes
<0> it was repatching the "unsigned int protoff,
<1> that was only rejected
<1> so I am ok
<1> right?
<0> I think so.
<0> yes. It'll fail to compile otherwise
<1> i repatched at an original copy
<1> and succeded :)
<1> just to be sure
<1> lol
<1> 7 lines
<1> paste here?
<0> what seven lines
<1> net/ipv4/netfilter/ipt_connlimit.c:166: error: syntax error before "void"
<1> net/ipv4/netfilter/ipt_connlimit.c:170: warning: function declaration isn't a prototype
<1> net/ipv4/netfilter/ipt_connlimit.c: In function `check':
<1> net/ipv4/netfilter/ipt_connlimit.c:171: error: `matchinfo' undeclared (first use in this function)
<1> net/ipv4/netfilter/ipt_connlimit.c:171: error: (Each undeclared identifier is reported only once
<1> net/ipv4/netfilter/ipt_connlimit.c:171: error: for each function it appears in.)
<1> net/ipv4/netfilter/ipt_connlimit.c:174: error: `e_void' undeclared (first use in this function)
<1> net/ipv4/netfilter/ipt_connlimit.c:177: error: `matchsize' undeclared (first use in this function)
<0> doh. Remove "struct" before "void"
<1> rebooting....
<1> (god help!)
<0> good luck!
<1> router ~ # iptables -A FORWARD -s 192.168.0.0/24 -m connlimit --connlimit-above 500 -j DROP
<1> iptables: Invalid argument
<0> you need a -p tcp in there
<0> check dmesg|tail
<1> :)
<1> the rule was added succesfully
<1> let's see
<1> check out where your fabules patches are working for : http://87.203.233.208/router
<1> I am trying to make a platform to administrate a router
<0> the username/p***word fields look good ;)
<1> danieldg, admin/123
<1> :p
<1> whatever you change doesn't affect the system... I must rerun the scripts to affect it
<0> I'm guessing you want this connlimit to keep control of 192.168.0.50?
<1> I am the 0.50
<1> the prob is that this router will end-up at a net-cafe
<1> and some user's there fire-up limeware, morpheus and all the p2p clients together
<1> the result: it eat up all the resources of the modems
<1> so I want to reduce it at an acceptable limit
<1> 500 connection per pc, I think is more than ok
<0> you might want to look at /router/st_conntrack.php, the OUT traffic looks incorrect
<0> yeah, 500 should be plenty. You could probably get away with 100
<1> yes the OUT traffic has some bugs
<1> damn... you are fast :p
<1> I want If I could make this a general platform
<1> for routers
<1> s/want/wonder
<2> http://87.203.233.208/router/router.jpg has "gateway" misspelled in the graphic.
<1> oups
<2> Another minor point, "administrate" isn't a real word according to my dictionary. "Administer."
<1> I think connlimit doens't work!
<0> you have a DROP after the connlimit rule?
<0> maxine: show ruleset
<3> Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
<2> s/Shapping/Shaping/
<0> maxine: show ruleset =~ s/Shapping/Shaping/
<3> That doesn't contain 'Shapping'
<0> oops
<1> http://pastebin.ca/56983
<2> Shapp!
<1> lol
<1> rob0, ty man
<1> my english is not that good :p
<0> sque: well, you're accepting the connections before the connlmit rule
<0> line 10
<1> I think I am missing something from the iptables
<1> what is the final action?
<1> the one at the bottom right?
<1> it parses from the top to the bottom
<0> from top to bottom, but it stops when one matches
<0> maxine: rule order
<3> rule order is important, because rules are evaluated in order until one matches. iptables -I can be used to insert the rule at the start of a chain; iptables -A puts it at the end
<1> axa!
<2> related, established
<2> state
<2> (Just checking to see if Max knew those.)
<0> maxine: state rule
<3> state rule is probably iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT; do the same for FORWARD and OUTPUT if you plan to filter those
<2> ah ... there it is :)
<2> Maxine is a nice lady.
<2> afk, g'night
<1> danieldg, I have a small issue
<1> (connlimit worked fine :))
<1> the conntrack system... I think something is wrong
<1> e.g:
<1> tcp 6 431686 ESTABLISHED src=192.168.0.50 dst=213.194.0.71 sport=48449 dport=80 packets=1 bytes=40 [UNREPLIED] src=213.194.0.71 dst=192.168.1.1 sport=80 dport=48449 packets=0 bytes=0 mark=0 use=1
<1> this is a connection made by nmap, it just sent SYN
<1> but the conntrack takes it as ESTABLISHED!
<0> oh, there's an option to enable counters
<1> shouldn't it be: SYN_SENT
<1> ?
<0> hmm. Misread that
<0> normally, yes. But maybe it caught the packet in an already-established connection
<0> or did you actually just start the connection?
<1> just 1 packet?
<1> but it says 1 packet sent, 0 received
<1> check on the counters
<0> yes
<0> if it wasn't a SYN, then it won't go to SYN_SEND
<1> the result is that this connection will timeout in 5 days :S
<0> you can use conntrack userspace tool to wipe it if needed
<1> how does it called?
<1> conntrack?
<0> yes. You'll have to compile it
<0> http://www.netfilter.org/projects/conntrack/
<0> I made a perl program to control it, much easier to delete stuff
<0> http://danieldegraaf.afraid.org/info/iptables/ctview
<1> the prob is that I want to be right
<1> not having me deleting each time a thousand of entries
<0> set /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal to zero
<1> this connection was created by nmap -sS 213.194.130.1/16 -p 80 -T4
<1> it is just a SYN packet... but it shows it as ESTABLISHED...
<0> strange
<1> yes! something is wrong
<0> if you wanted to, you could bother the #netfilter people, they might know why this would happen
<1> I ll do
<1> :D
<1> danieldg, I tryied to run your script
<1> This Perl hasn't been configured and built properly for the threads
<1> module to work. (The 'useithreads' configuration option hasn't been used.)
<1> Having threads support requires all of Perl and all of the XS modules in
<1> the Perl installation to be rebuilt, it is not just a question of adding
<1> the threads module. (In other words, threaded and non-threaded Perls
<1> are binary incompatible.
<4> hello
<0> oh. You don't have a threaded version of perl...
<0> and I use threads quite a bit in that program.
<0> what version of perl do you have?
<0> Chowmeined: hello
<4> Does anybody know why iptables would hang while I am trying to --list? It happens after I add certain rules but not others i'm not exactly sure what is up with it
<0> Chowmeined: looking up DNS, try iptables -vnL
<0> maxine: show ruleset
Return to
#iptables
or
Go to some related
logs:
gmailchecker can't connect
#perl
linux dd expert usb
restore rgb database gentoo
telnetd: getpeername: Socket operation on non-socket ubuntu
failed to allocate framebuffer is your VideoRam
grub +softraid +fedora
#css
#css
kubuntu famd
|
|
