El Mar, 13 de Marzo de 2007, 12:48, Bc. Miroslav Kopecek escribió: > Off course I want help of anybody ;-) > > What you wrote is actually what I need! Simple step by step which let me > know, what i need to make connlimit works. > > So If I understand, my problem is, that I don't have netfilter connlimit > extension in my kernel. So I need to use latest patch-o-magic with > download > and compile connlimit (which is not standard part of it now) patch my > kernel > and add this extension... Am I right? Yes. Patch your kernel and configure it for use "connlimit" extension. > > Many thanks for help. My English is not very well, so maybe I can't > express > myself corectlly... > Mirek > > >>-----Original Message----- >>From: ArcosCom Linux User [mailto:linux@xxxxxxxxxxxx] >>Sent: Tuesday, March 13, 2007 12:33 PM >>To: netfilter@xxxxxxxxxxxxxxxxxxx >>Cc: kopecek@xxxxxxxx >>Subject: RE: Connlimit problem k2.6.18.2 , ipt1.3.7 >> >>Yes, there are many guys helping to you, think if you want their help. >> >>The solution: >> 1) Download your kernel and iptables sources. >> 2) Apply patch-o-matic >> a) ./runme --download (connlimit is diferent repository) >> b) ./runme connlimit >> 3) Select the "connlimit" extension into your kernel config. >> 4) Compile and install >> 5) Reestart using your new kernel. >> >>If you have "iptables -m connlimit --help", then you don't >>need to rebuild >>your iptables. The iptables connlimit extension is included >>yet, you only >>need kernel netfilter connlimit extension. >> >>Sugestions: >> 1) Use a well known working kernel configuration file and >>only enable >>the connlimit extension (plus the predefined and enabled yet). >> 2) If you don't know how to configure/compile your kernel, >>this is not >>the correct list to answer about this questions (try "devel's lists"). >> 3) Patch-o-matic "./runme --help" command can help and >>you'll need to >>put your kernel source and iptables source directories. >> 4) connlimit (patch-o-matic) only patch kernel, your >>iptables 1.3.7 is >>prepared with connlimit yet. >> 5) All distros have their own "kernel compile process", look for it >>into your distro documentation. >> >>Last notes: >> 1) Well known to working configurations are: >> kernel 2.6.19.7 and iptables 1.3.7 >> kernel 2.6.18.x and iptables 1.3.7 >> 2) When "connlimit" were included into main stream kernel, >>will be an >>"official way", for now, you'll need to use patch-o-matic and patch >>your kernel. Take a look into http://www.netfilter.org and read all the >>documentation to learn what is the "offical" way. >> >>Good luck and enjoy. >> >>El Mar, 13 de Marzo de 2007, 10:35, Bc. Miroslav Kopecek escribió: >>> Hi, >>> nobody can help with limiting maximum number of connection per IP >>> adress? >>> Is any "supported and official" way to do that? >>> >>> Mirek >>> >>> >>> >>>>-----Original Message----- >>>>From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >>>>[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of >>>>Bc. Miroslav Kopecek >>>>Sent: Monday, March 12, 2007 9:08 AM >>>>To: netfilter@xxxxxxxxxxxxxxxxxxx >>>>Subject: RE: Connlimit problem k2.6.18.2 , ipt1.3.7 >>>> >>>>Hi, >>>> so is any "safer" and "suported" way to limit number of >>>>connections per IP >>>>address? >>>> >>>> >>>> >>>> >>>>>-----Original Message----- >>>>>From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx >>>>>[mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of >>>>>Jan Engelhardt >>>>>Sent: Monday, March 12, 2007 12:27 AM >>>>>To: Pascal Hambourg >>>>>Cc: netfilter@xxxxxxxxxxxxxxxxxxx >>>>>Subject: Re: Connlimit problem k2.6.18.2 , ipt1.3.7 >>>>> >>>>> >>>>>On Mar 11 2007 18:14, Pascal Hambourg wrote: >>>>>>> I can't add connlimit rule? What's wrong? Any suggestion? >>>>>>> >>>>>>> ----------------------------------------- >>>>>>> iptables -m connlimit -h >>>>>>> connlimit v1.3.7 options: >>>>>>> [!] --connlimit-above n match if the number of >>existing tcp >>>>>>> connections is (not) above n >>>>>>> --connlimit-mask n group hosts using mask >>>>>>> >>>>>>> ----------------------------------------- >>>>>>> RouterBM:/home/kopecek# iptables -A FORWARD -p tcp -s >>>>10.88.99.71 -m >>>>>>> connlimit --connlimit-above 300 --connlimit-mask 32 -j REJECT >>>>>>> --reject-with >>>>>>> tcp-reset >>>>>>> iptables: No chain/target/match by that name >>>>>> >>>>>> Your kernel probably does not support the connlimit match. >>>>>The connlimit match >>>>>> is not part of the standard kernel. It used to be included >>>>>as a kernel patch in >>>>>> the patch-o-matic-ng, but has been removed from the daily >>>>>snapshots since >>>>>> 2006/07/26. >>>>> >>>>>connlimit is still there (not in pomng though), it's >>>>>out-of-out-off-tree, >>>>>so to say. You have to patch pomng, and then patch the kernel >>>>>*whirl* ... >>>>> >>>>> >>>>>Jan >>>>>-- >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >> >> >> >> > > > >
