| |
| |
| |
|
Comments:
<0> hello guys. I'm getting quite big SMTP flood nowadays, and started using this rule: iptables -A INPUT -i eth0 -p tcp --dport 25 --syn -m state --state NEW -m recent --update --seconds 15 -j drop
<0> it is quite good thing to hold down the traffic, but I would something like --limit-burst, eg incerase the penalty if the IP is trying more and more. Someone could help me in this?
<1> gzp: this is all very possible through the use of maybee Userchains + limit + recent + (something simular to connlimit)
<0> I'm not really expert of netfilter
<1> maybee your place of question should be in #iptables ?
<0> oh
<0> sorry
<1> no probs =)
<2> only one guy can be offline at a time ?-D
<3> iptables: Unknown error 4294967295
<3> I'm guessing I need to take the latest snapshot of pom-ng
<4> no, check the output of dmesg; what command triggered that?
<3> seems to happen whenever I do conntrack
<3> iptables ... -m state
<4> you have the ip_conntrack module loaded?
<3> damn, my vmware rebooted :P
<3> I think so
<3> yup
<3> its loaded
<4> what's the exact line, and does it produce any output in dmesg?
<3> iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<3> no output in dmesg
<4> what kernel?
<3> 2.6.16
<4> ah. you have the xt_state module loaded?
<3> hmm lemme check :)
<3> ah I didn't
<3> now it works
<3> thx :)
<5> masqueraded traffic doesnt match on the INPUT filters ever, does it ?
<4> no, it matches on FORWARD
<2> except if it's tunneled ;)
<4> ah, yes, of course
<2> but then it's not "masqueraded" traffic but tunneled traffic
<2> it only is regarded as "masqueraded" traffic after it enters PREROUTING again..
<5> hmm, got problems with folks using vpns ya see, which are nat-t capable, as they work when pointed over wifi/adsl box, but not thru our linux gateway.
<6> hi... I was thinking on implementing an standard protocol using netfilter hooks... but I have been said, that netfilter will be deprecated.. is that true ? is the new nf-hipac incompatible with that code?
<6> th
<6> x
<4> kikov: I have not heard that netfilter will be deprecated - where did you see this?
<7> netfilter is not deprecated
<8> :)
<4> didn't think so
<7> iptables might be replaced by something like nfhipac in the furure, but both use the netfilter framework
<7> things will still loook a lot like they do today if/when that happens
<9> hello
<9> I do not find any doc to use the new NF_CONNTRACK
<4> that's because it's new, and I'm not sure if anyone has written any yet
<9> I suppose I do not use iptables but the new conntrack userspace tool to use this ?
<4> no, NF_CONNTRACk is unrelated to the conntrack userspace tool
<9> so I need to patch iptables
<4> no
<4> it works with the normal iptables binary, the only problem is you might have to manually load a module
<9> ok, but after setting a rule to ACCEPT ESTABLISHED connection, I see no packet matching the rule
<9> the counter stay to 0
<4> modprobe nf_conntrack_ipv4
<9> done
<4> now check the counters
<9> 2 admins on the host... one remove the module :-/
<9> sorry for the noise
<9> I tried with nf_conntrack_ipv6 but ip6tables require libip6t_state.so
<4> get a new iptables binary, it has that included
<9> thanks a lot, I just get svn source
<4> that works too
<9> have a good day
<10> is there a way i can match the next hop?
<10> ie "except if it's being forwarded to 2001:5c0:8f3e:0:1::2"
<10> but not destined for there?
<11> I doubt you can have the next-hop from the routing point of view of 2001:5c0:8f3e:0:1::2 from a client's iptables
<10> mm didn't think so
<11> mmh we're not on #iptables
<10> close enough =\
Return to
#netfilter
or
Go to some related
logs:
obexftp finnish
#math
#linux
what is __FILE__
mysqldump aptitude
#python
mount -t /dev/ttyUSB0 linux samsung
azap HDTV
emerge ignore ebuild filesize
progname Audio::Scrobbler
|
|