hi
i have problem about iptables.
my system(fedora13 kernel 2.6.38.8) and iptables(v1.4.11.1) can't
match multiple extended modules(-m tcp, -m hashlimit)
iptables rule is following line
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80
--tcp-flags SYN SYN \
-m hashlimit --hashlimit-above 10/sec --hashlimit-burst 500
--hashlimit-mode srcip \
--hashlimit-name Syn_Svc1 -j DROP
test packets is generated by following command(generate 50 HTTP Syn
packets per second, while 10 secs)
# hping -n 192.168.2.222 -i u20000 -p 80 -S -c 500
[Env]
hping(192.168.2.1) <--> iptable system(192.168.2.200) <--> web
server(192.168.2.222)
I can see the following result
iptables -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 1519 packets, 62760 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp
dpt:80 tcpflags: 0x02/0x02 limit: above 10/sec burst 500 mode srcip
Sometimes, detect some, but not exact
But another system(fedora 13, kernel 2.6.33.3-85) have detected exactly
I don’t know the difference between two systems.
(diff “sysctl -a result” and lsmod)
why iptable can’t match multiple modules?
What’s wrong? What should do I ?
Help me!!
I’ll give any data what you want to see.
thx
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
