Re: how to use ipt_limit.o?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
iptables v1.2.7a: Couldn't load target `USER_CHAIN':/usr/local/lib/iptables/libipt_USER_CHAIN.so: cannot open shared object file: No such file or directory
why?
----- Original Message ----- 
From: "Cedric Blancher" <blancher@cartel-securite.fr>
To: "Peter" <chenlf@cibn.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Monday, December 09, 2002 5:43 PM
Subject: Re: how to use ipt_limit.o?


> Le lun 09/12/2002 ?02:55, Peter a écrit :
> > i am using redhat73 kernel 2.4.18-18.7 
> > i want to limit number of httpd access per/client 
> > i use 
> > # insmod  ipt_limit.o
> > # iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT
> > then i get error:
> > iptables: No chain/target/match by that name
> > who can help me
> 
> Your syntax is wrong, so RTFM ;)
> 
> # iptables -m limit --help
> 
> cbr@elendil:~$ sudo iptables -m limit --help
> iptables v1.2.7a
> [...]
> limit v1.2.7a options:
> --limit avg max average match rate: default 3/hour
>                                 [Packets per second unless followed by 
>                                 /sec /minute /hour /day postfixes]
> --limit-burst number number to match in a burst, default 5
> 
> limit match is described in Linux filtering HOWTO you can read on
> http://www.netfilter.org/.
> 
> By the way, limit match is aimed to match packets that are _under_ the
> specified (via --limit argument) limit. If you want to match packets
> over the limit, you have to modify you ruleset and introduce a user
> chain dedicated to this need until ! --limit is available.
> 
> # iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
> # iptables -A USER_CHAIN -p tcp --syn --dport http \ 
> -m limit --limit 4/s -j RETURN
> # iptables -A USER_CHAIN -j REJECT
> 
> So you REJECT packets over 4/s limit. There's been a thread on this
> topic earlier, you should search list archives.
> 
> -- 
> Cédric Blancher  <blancher@cartel-securite.fr>
> IT systems and networks security expert  - Cartel Sécurit?
> Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
> PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
>
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux