On 10/10/06, Sagi Bashari <[EMAIL PROTECTED] > wrote:On 10/10/06, Amos Shapira <[EMAIL PROTECTED]> wrote:On 10/10/06, Sagi Bashari <[EMAIL PROTECTED]> wrote:I'm looking for a way to prevent such attack in a higher level, before it even reaches Apache. I found a iptables module named connlimit/iplimit, that is supposed to do just that, but it seems the official kernels do not support it and there's a serious lack of information about it.
connlimit seems to be indeed just the thing for you. Why do you think that official kernels don't support it? I have it on my system as part of the Debian Etch standard iptables package.
What do you get when you try the examples in the manual page, for example?
I have iptables v1.2.11 on my Debian Sarge setup. It seems like it supports connlimit, but there's nothing in the manpage about it. I do get the connlimit options when running 'iptables -m connlimit -h'.
Problem is, when trying to add some actual iptables connlimit rule, I get an error:
[EMAIL PROTECTED]:~# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3 -j REJECT --reject-with tcp-reset
iptables: No chain/target/match by that name
[EMAIL PROTECTED]:~#
From what I understood this is because the kernel itself lacks the connlimit module. According to the packages.debian.org file search, even -unstable kernels don't ship with this module.
You don't need the kernel's support - this module should be automatically loaded by iptables as required.
Does "dpkg -L iptables | grep connlimit" give you?
On my (unused) sarge partition I see /lib/iptables/libipt_connlimit.so which is just the file you need.
The error message seems not to be about the iptables module but about something else.
What does "iptables -L" give you? Have you tried to drop the --reject-with part just to see if it helps?
[EMAIL PROTECTED]:~# dpkg -L iptables | grep connlimit
/lib/iptables/libipt_connlimit.so
[EMAIL PROTECTED]:~# ls -l /lib/iptables/libipt_connlimit.so
-rw-r--r-- 1 root root 3396 2004-12-02 02:38 /lib/iptables/libipt_connlimit.so
[EMAIL PROTECTED]:~#
'iptables -L' initially shows an empty set of rules (test box)
[EMAIL PROTECTED]:~# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3 -j REJECT
iptables: No chain/target/match by that name
[EMAIL PROTECTED]:~# iptables -A INPUT -p tcp --dport 80 -j REJECT
[EMAIL PROTECTED]:~#
so it does work without the connlimit option..
also, the iptables does have connlimit options, so it seems like it did load the module:
[EMAIL PROTECTED]:~# iptables -m connlimit -h|grep connlimit
connlimit v1.2.11 options:
[!] --connlimit-above n match if the number of existing tcp connections is (not) above n
--connlimit-mask n group hosts using mask
[EMAIL PROTECTED]:~#
Sagi
