Militantly FREE software support.
Militantly FREE software support.
NavigationUser loginSpam?See spam posts on this site? If so, please don't reply to the spam! Instead, just report the URL to the webmaster. |
[HELP] iptables per host controlsHi, I'd like to filter syn_packets with a rate limit (-m limit --limit 1/s) only if they came from the same "dynamic_IP". For example: If ten host try to connect to my webserver in the same second and ipfilter has syn limit to 1/s nine of the connection request will be dropped by the firewall ... I'd like ipfilter start dropping syn packet with a rate of 1/s ONLY if the source IP of the SYN packet is the SAME. Obviously i can't make a rule for EVERY IP tryin' to synflood my webserver ?? Any ideas ? Thanks in advance ! Zeus Bookmark/Search this post with: 
|
• Debian Weekly News - Essential reading for any Debian fan. • Documentation - Debian's own authoritative documentation, including installation docs. • FAQ - Got questions about Debian GNU/Linux? • From Windows to Debian - Tips for converting from Windows to Debian GNU/Linux • Package of the Day. • Security - Security information and alerts! • Bug System - Bug tracking and instructions on reporting bugs. • CD Images - Where/how to get Debian GNU/Linux CD images. • Mailing List Subscription - Dozens of Debian-specific support mailing lists! • Mailing List Archives - Searchable archives of Debian's mailing lists. • Free Software Guidelines - Learn Debian's idea of what "free" software really is. • Package Listings - A very valuable tool: searchable, integrated with bug reports. • Apt-Get Sources - Sources for *.debs which are not official Debian packages. • Backports - Unofficial new software packages that have been "back-ported" to work with the Debian stable/official release. • Developer's Corner - Info about the people behind Debian, policies, and how to package *.deb files.
connlimit section of iptables manpage
Can limiting the number of simultaneous connections per IP address solve your problem, as described in the connlimit section of the iptables manpage?
connlimit module question
Hi, thank you for pointing me on the right way.
I still need help.
Googling about conlimit module i've discovered it's not a part of the 'standard' debian kernel distribution.
and this explain why i got this error:
# iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
iptables: No chain/target/match by that name
somewhere advanced users suggest to patch the kernel via patch-o-matic
i 've never used this tool (i came form BSD+ipfw) may someone point me to a step-by-step tutorial to do this ?
Thanks in advance