Hi, so is any "safer" and "suported" way to limit number of connections per IP address? >-----Original Message----- >From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of >Jan Engelhardt >Sent: Monday, March 12, 2007 12:27 AM >To: Pascal Hambourg >Cc: netfilter@xxxxxxxxxxxxxxxxxxx >Subject: Re: Connlimit problem k2.6.18.2 , ipt1.3.7 > > >On Mar 11 2007 18:14, Pascal Hambourg wrote: >>> I can't add connlimit rule? What's wrong? Any suggestion? >>> >>> ----------------------------------------- >>> iptables -m connlimit -h >>> connlimit v1.3.7 options: >>> [!] --connlimit-above n match if the number of existing tcp >>> connections is (not) above n >>> --connlimit-mask n group hosts using mask >>> >>> ----------------------------------------- >>> RouterBM:/home/kopecek# iptables -A FORWARD -p tcp -s 10.88.99.71 -m >>> connlimit --connlimit-above 300 --connlimit-mask 32 -j REJECT >>> --reject-with >>> tcp-reset >>> iptables: No chain/target/match by that name >> >> Your kernel probably does not support the connlimit match. >The connlimit match >> is not part of the standard kernel. It used to be included >as a kernel patch in >> the patch-o-matic-ng, but has been removed from the daily >snapshots since >> 2006/07/26. > >connlimit is still there (not in pomng though), it's >out-of-out-off-tree, >so to say. You have to patch pomng, and then patch the kernel >*whirl* ... > > >Jan >-- > > >
