Yes, there are many guys helping to you, think if you want their help.
The solution:
1) Download your kernel and iptables sources.
2) Apply patch-o-matic
a) ./runme --download (connlimit is diferent repository)
b) ./runme connlimit
3) Select the "connlimit" extension into your kernel config.
4) Compile and install
5) Reestart using your new kernel.
If you have "iptables -m connlimit --help", then you don't need to rebuild
your iptables. The iptables connlimit extension is included yet, you only
need kernel netfilter connlimit extension.
Sugestions:
1) Use a well known working kernel configuration file and only enable
the connlimit extension (plus the predefined and enabled yet).
2) If you don't know how to configure/compile your kernel, this is not
the correct list to answer about this questions (try "devel's lists").
3) Patch-o-matic "./runme --help" command can help and you'll need to
put your kernel source and iptables source directories.
4) connlimit (patch-o-matic) only patch kernel, your iptables 1.3.7 is
prepared with connlimit yet.
5) All distros have their own "kernel compile process", look for it
into your distro documentation.
Last notes:
1) Well known to working configurations are:
kernel 2.6.19.7 and iptables 1.3.7
kernel 2.6.18.x and iptables 1.3.7
2) When "connlimit" were included into main stream kernel, will be an
"official way", for now, you'll need to use patch-o-matic and patch
your kernel. Take a look into http://www.netfilter.org and read all the
documentation to learn what is the "offical" way.
Good luck and enjoy.
El Mar, 13 de Marzo de 2007, 10:35, Bc. Miroslav Kopecek escribió:
> Hi,
> nobody can help with limiting maximum number of connection per IP
> adress?
> Is any "supported and official" way to do that?
>
> Mirek
>
>
>
>>-----Original Message-----
>>From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx
>>[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of
>>Bc. Miroslav Kopecek
>>Sent: Monday, March 12, 2007 9:08 AM
>>To: netfilter@xxxxxxxxxxxxxxxxxxx
>>Subject: RE: Connlimit problem k2.6.18.2 , ipt1.3.7
>>
>>Hi,
>> so is any "safer" and "suported" way to limit number of
>>connections per IP
>>address?
>>
>>
>>
>>
>>>-----Original Message-----
>>>From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx
>>>[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of
>>>Jan Engelhardt
>>>Sent: Monday, March 12, 2007 12:27 AM
>>>To: Pascal Hambourg
>>>Cc: netfilter@xxxxxxxxxxxxxxxxxxx
>>>Subject: Re: Connlimit problem k2.6.18.2 , ipt1.3.7
>>>
>>>
>>>On Mar 11 2007 18:14, Pascal Hambourg wrote:
>>>>> I can't add connlimit rule? What's wrong? Any suggestion?
>>>>>
>>>>> -----------------------------------------
>>>>> iptables -m connlimit -h
>>>>> connlimit v1.3.7 options:
>>>>> [!] --connlimit-above n match if the number of existing tcp
>>>>> connections is (not) above n
>>>>> --connlimit-mask n group hosts using mask
>>>>>
>>>>> -----------------------------------------
>>>>> RouterBM:/home/kopecek# iptables -A FORWARD -p tcp -s
>>10.88.99.71 -m
>>>>> connlimit --connlimit-above 300 --connlimit-mask 32 -j REJECT
>>>>> --reject-with
>>>>> tcp-reset
>>>>> iptables: No chain/target/match by that name
>>>>
>>>> Your kernel probably does not support the connlimit match.
>>>The connlimit match
>>>> is not part of the standard kernel. It used to be included
>>>as a kernel patch in
>>>> the patch-o-matic-ng, but has been removed from the daily
>>>snapshots since
>>>> 2006/07/26.
>>>
>>>connlimit is still there (not in pomng though), it's
>>>out-of-out-off-tree,
>>>so to say. You have to patch pomng, and then patch the kernel
>>>*whirl* ...
>>>
>>>
>>>Jan
>>>--
>>>
>>>
>>>
>>
>>
>>
>>
>>
>
>
>
>
