Off course I want help of anybody ;-) What you wrote is actually what I need! Simple step by step which let me know, what i need to make connlimit works. So If I understand, my problem is, that I don't have netfilter connlimit extension in my kernel. So I need to use latest patch-o-magic with download and compile connlimit (which is not standard part of it now) patch my kernel and add this extension... Am I right? Many thanks for help. My English is not very well, so maybe I can't express myself corectlly... Mirek >-----Original Message----- >From: ArcosCom Linux User [mailto:linux@xxxxxxxxxxxx] >Sent: Tuesday, March 13, 2007 12:33 PM >To: netfilter@xxxxxxxxxxxxxxxxxxx >Cc: kopecek@xxxxxxxx >Subject: RE: Connlimit problem k2.6.18.2 , ipt1.3.7 > >Yes, there are many guys helping to you, think if you want their help. > >The solution: > 1) Download your kernel and iptables sources. > 2) Apply patch-o-matic > a) ./runme --download (connlimit is diferent repository) > b) ./runme connlimit > 3) Select the "connlimit" extension into your kernel config. > 4) Compile and install > 5) Reestart using your new kernel. > >If you have "iptables -m connlimit --help", then you don't >need to rebuild >your iptables. The iptables connlimit extension is included >yet, you only >need kernel netfilter connlimit extension. > >Sugestions: > 1) Use a well known working kernel configuration file and >only enable >the connlimit extension (plus the predefined and enabled yet). > 2) If you don't know how to configure/compile your kernel, >this is not >the correct list to answer about this questions (try "devel's lists"). > 3) Patch-o-matic "./runme --help" command can help and >you'll need to >put your kernel source and iptables source directories. > 4) connlimit (patch-o-matic) only patch kernel, your >iptables 1.3.7 is >prepared with connlimit yet. > 5) All distros have their own "kernel compile process", look for it >into your distro documentation. > >Last notes: > 1) Well known to working configurations are: > kernel 2.6.19.7 and iptables 1.3.7 > kernel 2.6.18.x and iptables 1.3.7 > 2) When "connlimit" were included into main stream kernel, >will be an >"official way", for now, you'll need to use patch-o-matic and patch >your kernel. Take a look into http://www.netfilter.org and read all the >documentation to learn what is the "offical" way. > >Good luck and enjoy. > >El Mar, 13 de Marzo de 2007, 10:35, Bc. Miroslav Kopecek escribió: >> Hi, >> nobody can help with limiting maximum number of connection per IP >> adress? >> Is any "supported and official" way to do that? >> >> Mirek >> >> >> >>>-----Original Message----- >>>From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >>>[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of >>>Bc. Miroslav Kopecek >>>Sent: Monday, March 12, 2007 9:08 AM >>>To: netfilter@xxxxxxxxxxxxxxxxxxx >>>Subject: RE: Connlimit problem k2.6.18.2 , ipt1.3.7 >>> >>>Hi, >>> so is any "safer" and "suported" way to limit number of >>>connections per IP >>>address? >>> >>> >>> >>> >>>>-----Original Message----- >>>>From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >>>>[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of >>>>Jan Engelhardt >>>>Sent: Monday, March 12, 2007 12:27 AM >>>>To: Pascal Hambourg >>>>Cc: netfilter@xxxxxxxxxxxxxxxxxxx >>>>Subject: Re: Connlimit problem k2.6.18.2 , ipt1.3.7 >>>> >>>> >>>>On Mar 11 2007 18:14, Pascal Hambourg wrote: >>>>>> I can't add connlimit rule? What's wrong? Any suggestion? >>>>>> >>>>>> ----------------------------------------- >>>>>> iptables -m connlimit -h >>>>>> connlimit v1.3.7 options: >>>>>> [!] --connlimit-above n match if the number of >existing tcp >>>>>> connections is (not) above n >>>>>> --connlimit-mask n group hosts using mask >>>>>> >>>>>> ----------------------------------------- >>>>>> RouterBM:/home/kopecek# iptables -A FORWARD -p tcp -s >>>10.88.99.71 -m >>>>>> connlimit --connlimit-above 300 --connlimit-mask 32 -j REJECT >>>>>> --reject-with >>>>>> tcp-reset >>>>>> iptables: No chain/target/match by that name >>>>> >>>>> Your kernel probably does not support the connlimit match. >>>>The connlimit match >>>>> is not part of the standard kernel. It used to be included >>>>as a kernel patch in >>>>> the patch-o-matic-ng, but has been removed from the daily >>>>snapshots since >>>>> 2006/07/26. >>>> >>>>connlimit is still there (not in pomng though), it's >>>>out-of-out-off-tree, >>>>so to say. You have to patch pomng, and then patch the kernel >>>>*whirl* ... >>>> >>>> >>>>Jan >>>>-- >>>> >>>> >>>> >>> >>> >>> >>> >>> >> >> >> >> > > > >
