Hi, nobody can help with limiting maximum number of connection per IP adress? Is any "supported and official" way to do that? Mirek >-----Original Message----- >From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of >Bc. Miroslav Kopecek >Sent: Monday, March 12, 2007 9:08 AM >To: netfilter@xxxxxxxxxxxxxxxxxxx >Subject: RE: Connlimit problem k2.6.18.2 , ipt1.3.7 > >Hi, > so is any "safer" and "suported" way to limit number of >connections per IP >address? > > > > >>-----Original Message----- >>From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >>[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of >>Jan Engelhardt >>Sent: Monday, March 12, 2007 12:27 AM >>To: Pascal Hambourg >>Cc: netfilter@xxxxxxxxxxxxxxxxxxx >>Subject: Re: Connlimit problem k2.6.18.2 , ipt1.3.7 >> >> >>On Mar 11 2007 18:14, Pascal Hambourg wrote: >>>> I can't add connlimit rule? What's wrong? Any suggestion? >>>> >>>> ----------------------------------------- >>>> iptables -m connlimit -h >>>> connlimit v1.3.7 options: >>>> [!] --connlimit-above n match if the number of existing tcp >>>> connections is (not) above n >>>> --connlimit-mask n group hosts using mask >>>> >>>> ----------------------------------------- >>>> RouterBM:/home/kopecek# iptables -A FORWARD -p tcp -s >10.88.99.71 -m >>>> connlimit --connlimit-above 300 --connlimit-mask 32 -j REJECT >>>> --reject-with >>>> tcp-reset >>>> iptables: No chain/target/match by that name >>> >>> Your kernel probably does not support the connlimit match. >>The connlimit match >>> is not part of the standard kernel. It used to be included >>as a kernel patch in >>> the patch-o-matic-ng, but has been removed from the daily >>snapshots since >>> 2006/07/26. >> >>connlimit is still there (not in pomng though), it's >>out-of-out-off-tree, >>so to say. You have to patch pomng, and then patch the kernel >>*whirl* ... >> >> >>Jan >>-- >> >> >> > > > > >
