| |
| |
| |
|
Page: 1 2
Comments:
<0> hello guys
<0> anyone using connlimit with 2.6.15.4 + iptables-1.3.5 ?
<0> (without errors, of course)
<0> I'm getting this (from strace):
<0> setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
<0> \0\0\0"..., 5172) = -1 EINVAL (Invalid argument)
<0> write(2, "iptables: Unknown error 42949672"..., 35) = 35
<0> the command:
<0> iptables -v -A do_accept_ssh -p tcp -m connlimit --connlimit-above 2 -j REJECT --reject-with tcp-reset
<0> iptables output:
<0> REJECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 #conn/32 > 2 reject-with tcp-reset
<0> iptables: Unknown error 4294967295
<1> rnsanchez: working fine here , 2.6.15.4 / iptables-1.3.5 Snapshot ...
<1> with connlimit ... =)
<0> hmm
<2> :) ha
<0> how have you put it into the kernel?
<0> I mean...
<1> try latest iptables snapshot ...
<0> where are the patch from?
<1> i used latest POM-ng
<0> strange
<0> I've just downloaded from svn...
<1> ftp.netfilter.org/pub/patch-o-matic-ng/snapshot
<0> ... and runme doesnt even ask for connlimit patch
<1> patch-o-matic-ng-20060224
<1> iptables-1.3.5-20060224
<0> I'll download those right away
<1> Linux version 2.6.15.4 | (gcc version 3.4.4)
<0> 3.4.5 here
<1> rnsanchez: mind you latest kernel does need latest udev / module-init-tools
<1> but that shouldy effect what you are trying to do
<1> well compile 20060224 snapshots
<1> see how you go
<0> thanks :)
<1> np
<0> downloaded, compiling now
<1> bbiab
<0> as before, runme doesnt ask for connlimit "apply it?" patch
<0> :(
<0> it just asks about comment match
<0> well
<0> I'll compile iptables...
<0> and see what happens
<1> what ?
<1> thats crazy ?
<1> did you try apply against a fresh kernel src tree ?
<0> extracted pom-ng, ran runme
<0> it only asked about the comment patch, I selected "skip this patch", and it exitted "excelent!"
<0> and there's something odd with iptables make :(
<0> Something wrong... deleting dependencies. make: *** [linux/autoconf.h] Error 1
<0> I cant trace this
<0> Considering target file `linux/autoconf.h'.
<1> ran runme with what options ?
<1> ./runme extra ?
<0> uups
<0> no options
<1> try ./runme extra
<1> hit enter twice
<0> already trying...
<1> then should be connlimit
<0> :D
<1> i just tested against a new kernel tree , worked fine here ?
<0> I'll have to wait compilation now
<0> hmm
<0> compilation sounds odd
<0> compiling seems correct
<0> webster tells me that both are correct
<1> =P
<0> my plan is to employ connlimit to hold brute-force ssh attacks
<0> which are getting *very* common in Brasil
<0> and annoying
<0> I already throttle them with simple -m limit, but I don't want parallel probings anymore
<0> and, of course, be able to connect here even during an attack
<1> yes its a good idea
<1> not to mentions DNATng it from a different external port
<1> so silly probes dont see you as open
<1> something like 2220 or something
<0> next step: honeypots :)
<0> will test now! wee! :)
<0> BRB
<0> hard__ware: seems OK!
<0> 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 reject-with tcp-reset
<0> (from iptables -L -v -n)
<0> nice! working like a charm!
<0> port 22: Connection refused
<0> (the 3rd ssh connection attempt!)
<0> thanks hard__ware and danieldg :)
<0> see ya
<2> ssh
<3> YEEEEEEEEES
<4> :(
<4> so finland :)
<3> :)
<4> Gandalf_: anyways congrats :)
<3> thanks
<5> Gandalf_: congrats :)
<6> hi
<6> is there a howto somewhere on how to create iptables rules from C? i don't want to fork and run iptables, just do the lib call directly....
<7> that would be the iptables hacking docs on the wesite
<7> http://netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO.html
<6> i'll try
<6> someone should change that to show svn instead of cvs :)
<7> i do believe it is "noted" somewhere ;)
<6> hm
<6> it seems the netfilter hacking howto is more kernel-space-oriented
<6> i need to write a small ipt_queue program that can handle SIP traffic and create DNAT rules for the RTP traffic.....
<8> Is it me or there is no way to specify the length of the queues in nfnetlink_queue ?
<6> haven't seen any......
<6> hm....
<6> how long is it?
<8> 1024
<8> I'm currently doing some bench on NUFW and I think I will need to increase it
<6> #define IPQ_QMAX_DEFAULT 1024
<6> #define IPQ_PROC_FS_NAME "ip_queue"
<6> #define NET_IPQ_QMAX 2088
<6> #define NET_IPQ_QMAX_NAME "ip_queue_maxlen"
<6> from ip_queue.c
<6> so it's possibly just to change that :)
<8> RoyK: yes that was for ip_queue no nfnetlink_queue
<6> ah
<6> wtf is that/
<6> ?
<8> nfnetlink_queue ?
<6> yeah
<8> the successor of ip_queue
<6> ah
<6> 2.6 thing?
<8> since 2.6.14
<6> or experimental?
<6> what's changed?
<8> greeat thing, you can have more than one queue
<8> do marking without patch
<6> hm
<6> i'm writing a SIP B2BUA with ip_queue
<6> perhaps I should use nfnetlink_queue instead?
<8> B2BUA ?
<6> back to back user agent
<8> meaning ?
<6> like a proxy, but which handles the RTP traffic as well as keeps connection data for SIP connections
<6> proxying SIP only works in a perfect world with no NAT
<6> or a hundered different NAT helpers
<6> SIP is not written for a NATed internet
<8> there was some discuss on a NAT helper yesterday on netfitler-devel ML
<6> SIP helper?
<8> RoyK: yes for NAT
<6> may you forward those to me please?
<8> no pb
<6> roy@karlsbakk.net
Return to
#netfilter
or
Go to some related
logs:
no local.conf
#perl
#mysql
#suse
#proftpd
ubuntu rar decompress
php imagefillrect
makefile obejcts
ubuntu metasploit synaptic
#css
|
|