* connlimit problem
@ 2004-03-29 14:02 kamil kapturkiewicz
0 siblings, 0 replies; 17+ messages in thread
From: kamil kapturkiewicz @ 2004-03-29 14:02 UTC (permalink / raw)
To: netfilter
hi
after run kernel 2.4.25 with connlimit from latest pom there is lots of:
kernel: ipt_connlimit: Oops: invalid ct state ?
in syslog.
i try to find solve in google, but i cant find answer what to do whit this.
can anyone help me ? please ;)
^ permalink raw reply [flat|nested] 17+ messages in thread
* connlimit problem
@ 2004-07-14 9:37 Robert Czechonski
2004-07-14 10:00 ` Antony Stone
2004-07-14 10:02 ` Sven Schuster
0 siblings, 2 replies; 17+ messages in thread
From: Robert Czechonski @ 2004-07-14 9:37 UTC (permalink / raw)
To: netfilter
Hello
I have kernel 2.4.25 and iptables 1.2.11. When I typed:
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 80 -j REJECT
The system pesponded:
iptables v1.2.11: no command specified
Try `iptables -h' or 'iptables --help' for more information.
Anyone can tell me what did I wrong?
--
Robert
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: connlimit problem
2004-07-14 9:37 Robert Czechonski
@ 2004-07-14 10:00 ` Antony Stone
2004-07-14 10:02 ` Sven Schuster
1 sibling, 0 replies; 17+ messages in thread
From: Antony Stone @ 2004-07-14 10:00 UTC (permalink / raw)
To: netfilter
On Wednesday 14 July 2004 10:37 am, Robert Czechonski wrote:
> Hello
> I have kernel 2.4.25 and iptables 1.2.11. When I typed:
>
> iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 80 -j
> REJECT
>
> The system responded:
>
> iptables v1.2.11: no command specified
> Try `iptables -h' or 'iptables --help' for more information.
>
> Anyone can tell me what did I wrong?
Sure. You forget to tell iptables where you wanted to place the rule. You
have to specify "-I <chain>" or "-A <chain>" where <chain> is one of INPUT,
OUTPUT or FORWARD.
I would assume you meant to put this rule in your INPUT or FORWARD chains,
considering what it does.
Regards,
Antony.
--
"The problem with television is that the people must sit and keep their eyes
glued on a screen; the average American family hasn't time for it."
- New York Times, following a demonstration at the 1939 World's Fair.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: connlimit problem
2004-07-14 9:37 Robert Czechonski
2004-07-14 10:00 ` Antony Stone
@ 2004-07-14 10:02 ` Sven Schuster
1 sibling, 0 replies; 17+ messages in thread
From: Sven Schuster @ 2004-07-14 10:02 UTC (permalink / raw)
To: Robert Czechonski; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 932 bytes --]
Hi Robert,
On Wed, Jul 14, 2004 at 11:37:06AM +0200, Robert Czechonski told us:
> Hello
> I have kernel 2.4.25 and iptables 1.2.11. When I typed:
>
> iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 80 -j REJECT
try iptables -A INPUT ....
or -A OUTPUT ....
or -A FORWARD ....
depending on which chain you want this rule to append to (looking at
your example, probably INPUT??). Or use
iptables -I <chainname> <number> ....
to insert the rule at rule number <number>
in the chain.
HTH
Sven
>
> The system pesponded:
>
> iptables v1.2.11: no command specified
> Try `iptables -h' or 'iptables --help' for more information.
>
> Anyone can tell me what did I wrong?
> --
>
> Robert
>
--
Linux zion 2.6.8-rc1 #3 Mon Jul 12 22:38:00 CEST 2004 i686 athlon i386 GNU/Linux
11:59:01 up 1 day, 13:16, 2 users, load average: 0.02, 0.04, 0.01
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Connlimit problem
@ 2005-01-26 14:26 Omar Garcia
[not found] ` <41F7AFBE.8080509@arcoscom.com>
2005-01-26 15:42 ` Samuel Jean
0 siblings, 2 replies; 17+ messages in thread
From: Omar Garcia @ 2005-01-26 14:26 UTC (permalink / raw)
To: netfilter
Hi list,
I try to configurate a transparent bridge with QoS
I have a pentium computer with two network cards, kernel 2.6.8 with IMQ,WRR,IPP2P and other more patched.
The problem is when i try to include the following rule:
iptables -A PREROUTING -t mangle -m connlimit --connlimit-above 100 -j DROP
If i tried in two steps, i confirm that the module connlimit is installed:
BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
iptables v1.2.11: You must specify `--connlimit-above'
Try `iptables -h' or 'iptables --help' for more information.
BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit --connlimit-above 12 -j DROP
iptables: No chain/target/match by that name
Any idea????
Thanks in advange.
Regards
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Connlimit problem
[not found] ` <41F7AFBE.8080509@arcoscom.com>
@ 2005-01-26 15:04 ` Omar Garcia
2005-01-26 16:00 ` Samuel Jean
0 siblings, 1 reply; 17+ messages in thread
From: Omar Garcia @ 2005-01-26 15:04 UTC (permalink / raw)
To: Samuel Díaz García; +Cc: netfilter
No effect, the same responsed.
# iptables -t filter -A FORWARD -m connlimit --connlimit-above 100 -j DROP
iptables: No chain/target/match by that name
# iptables -t filter -A OUTPUT -m connlimit --connlimit-above 100 -j DROP
iptables: No chain/target/match by that name
----- Original Message -----
From: "Samuel Díaz García" <samueldg@arcoscom.com>
To: "Omar Garcia" <omar.garcia@fractalia.biz>
Sent: Wednesday, January 26, 2005 3:57 PM
Subject: Re: Connlimit problem
> It is working in "filter" table, not in mangle.
>
> Try it, I think connlimit is only for filters.
>
> Say us.
>
> Omar Garcia escribió:
> > Hi list,
> >
> > I try to configurate a transparent bridge with QoS
> > I have a pentium computer with two network cards, kernel 2.6.8 with
IMQ,WRR,IPP2P and other more patched.
> >
> > The problem is when i try to include the following rule:
> >
> > iptables -A PREROUTING -t mangle -m connlimit --connlimit-above 100 -j
DROP
> >
> > If i tried in two steps, i confirm that the module connlimit is
installed:
> >
> > BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
> > iptables v1.2.11: You must specify `--connlimit-above'
> > Try `iptables -h' or 'iptables --help' for more information.
> >
> >
> > BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m
connlimit --connlimit-above 12 -j DROP
> > iptables: No chain/target/match by that name
> > Any idea????
> >
> > Thanks in advange.
> >
> > Regards
> >
> >
>
> --
> Samuel Díaz García
> Director Gerente
> ArcosCom Wireless, S.L.L.
>
> mailto:samueldg@arcoscom.com
> http://www.arcoscom.com
> móvil: 651 93 72 48
> tlfn/fax: 956 70 13 15
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Connlimit problem
2005-01-26 14:26 Connlimit problem Omar Garcia
[not found] ` <41F7AFBE.8080509@arcoscom.com>
@ 2005-01-26 15:42 ` Samuel Jean
2005-01-26 15:59 ` Omar Garcia
1 sibling, 1 reply; 17+ messages in thread
From: Samuel Jean @ 2005-01-26 15:42 UTC (permalink / raw)
To: Omar Garcia; +Cc: netfilter
On Wed, January 26, 2005 9:26 am, Omar Garcia said:
> Hi list,
Hi Omar!
> [...]
> If i tried in two steps, i confirm that the module connlimit is installed:
>
> BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
> iptables v1.2.11: You must specify `--connlimit-above'
> Try `iptables -h' or 'iptables --help' for more information.
This doesn't confirm that it is. This only tests the iptables 'module'
which I will call, an extension library.
>
>
> BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
> --connlimit-above 12 -j DROP
> iptables: No chain/target/match by that name
This means the kernel module (called ipt_connlimit) is not loadable or
compiled at all.
> Any idea????
Yes, patch your kernel or enable this module.
If unsure:
lsmod | grep ipt_connlimit
No result? Then 'modprobe ipt_connlimit'
It works ? Then make sure it properly registered against netfilter:
cat /proc/net/ip_tables_matches | grep connlimit
>
> Thanks in advange.
>
> Regards
>
HTH,
Samuel
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Connlimit problem
2005-01-26 15:42 ` Samuel Jean
@ 2005-01-26 15:59 ` Omar Garcia
0 siblings, 0 replies; 17+ messages in thread
From: Omar Garcia @ 2005-01-26 15:59 UTC (permalink / raw)
To: netfilter
Hi all!!
Thanks.!!
Now I know that the module isn´t compiled. (cat /proc/net/......)
I had patched kernel source with POMng but for any reason the connlimit
patch didn´t apply. I am recompiling a new kernel and patched it from zero.
Thanks, I`ll post my advances.
Regards.
----- Original Message -----
From: "Samuel Jean" <sj-netfilter@cookinglinux.org>
To: "Omar Garcia" <omar.garcia@fractalia.biz>
Cc: <netfilter@lists.netfilter.org>
Sent: Wednesday, January 26, 2005 4:42 PM
Subject: Re: Connlimit problem
> On Wed, January 26, 2005 9:26 am, Omar Garcia said:
> > Hi list,
>
> Hi Omar!
>
> > [...]
> > If i tried in two steps, i confirm that the module connlimit is
installed:
> >
> > BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
> > iptables v1.2.11: You must specify `--connlimit-above'
> > Try `iptables -h' or 'iptables --help' for more information.
>
> This doesn't confirm that it is. This only tests the iptables 'module'
> which I will call, an extension library.
>
> >
> >
> > BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
> > --connlimit-above 12 -j DROP
> > iptables: No chain/target/match by that name
>
> This means the kernel module (called ipt_connlimit) is not loadable or
> compiled at all.
>
> > Any idea????
>
> Yes, patch your kernel or enable this module.
>
> If unsure:
>
> lsmod | grep ipt_connlimit
>
> No result? Then 'modprobe ipt_connlimit'
>
> It works ? Then make sure it properly registered against netfilter:
>
> cat /proc/net/ip_tables_matches | grep connlimit
>
> >
> > Thanks in advange.
> >
> > Regards
> >
>
> HTH,
>
> Samuel
>
>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: Connlimit problem
2005-01-26 15:04 ` Omar Garcia
@ 2005-01-26 16:00 ` Samuel Jean
0 siblings, 0 replies; 17+ messages in thread
From: Samuel Jean @ 2005-01-26 16:00 UTC (permalink / raw)
To: Omar Garcia; +Cc: netfilter, samueldg
On Wed, January 26, 2005 10:04 am, Omar Garcia said:
>
> No effect, the same responsed.
>
> # iptables -t filter -A FORWARD -m connlimit --connlimit-above 100 -j DROP
> iptables: No chain/target/match by that name
>
> # iptables -t filter -A OUTPUT -m connlimit --connlimit-above 100 -j DROP
> iptables: No chain/target/match by that name
To add on my previous post, if you in-kernel compiled the connlimit
code, then only :
cat /proc/net/ip_tables_matches
can tell you wheter it is properly loaded or not.
>
>
> ----- Original Message -----
> From: "Samuel Díaz García" <samueldg@arcoscom.com>
> To: "Omar Garcia" <omar.garcia@fractalia.biz>
> Sent: Wednesday, January 26, 2005 3:57 PM
> Subject: Re: Connlimit problem
>
>
>> It is working in "filter" table, not in mangle.
>>
>> Try it, I think connlimit is only for filters.
>>
>> Say us.
Samuel:
A match type module is valid for any tables. Only the
hook matters as some module can't filter some situation.
Exemple: mac match can't filter into OUTPUT or POSTROUTING chains.
What maybe made you confused is that a target type module cares
about the table.
>>
>> --
>> Samuel Díaz García
>> Director Gerente
>> ArcosCom Wireless, S.L.L.
>>
>> mailto:samueldg@arcoscom.com
>> http://www.arcoscom.com
>> móvil: 651 93 72 48
>> tlfn/fax: 956 70 13 15
>>
I like your name 8)
HTH,
Samuel
^ permalink raw reply [flat|nested] 17+ messages in thread
* connlimit problem
@ 2011-09-09 8:02 Jean-Philippe Menil
2011-09-09 8:55 ` Pandu Poluan
2011-09-09 9:12 ` Jozsef Kadlecsik
0 siblings, 2 replies; 17+ messages in thread
From: Jean-Philippe Menil @ 2011-09-09 8:02 UTC (permalink / raw)
To: netfilter
Hi,
I try to limit the connection per ip with connlimit in addition to the
socket match, with the following rule:
$IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
socket -m connlimit --connlimit-above 0 -j DIVERT
But as you can see, theses rules never match:
0 0 DIVERT tcp -- * * 192.168.100.0/24
0.0.0.0/0 tcp dpt:80flags: 0x17/0x02 socket #conn src/32 > 1
9 3030 DIVERT tcp -- * * 192.168.100.0/24
0.0.0.0/0 tcp dpt:80 socket
5 216 TPROXY tcp -- * * 192.168.100.0/24
0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
0 0 DIVERT tcp -- * * 192.168.100.0/24
0.0.0.0/0 tcp dpt:3128flags: 0x17/0x02 socket #conn src/32 > 1
6 2491 DIVERT tcp -- * * 192.168.100.0/24
0.0.0.0/0 tcp dpt:3128 socket
19 800 TPROXY tcp -- * * 192.168.100.0/24
0.0.0.0/0 tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
Is this an expected behaviour, or a problem in my rules?
Regards
--
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: connlimit problem
2011-09-09 8:02 connlimit problem Jean-Philippe Menil
@ 2011-09-09 8:55 ` Pandu Poluan
2011-09-09 9:07 ` Jan Engelhardt
2011-09-09 9:12 ` Jozsef Kadlecsik
1 sibling, 1 reply; 17+ messages in thread
From: Pandu Poluan @ 2011-09-09 8:55 UTC (permalink / raw)
To: jean-philippe.menil; +Cc: netfilter
2011/9/9 Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>:
> Hi,
>
> I try to limit the connection per ip with connlimit in addition to the
> socket match, with the following rule:
> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
> socket -m connlimit --connlimit-above 0 -j DIVERT
>
> But as you can see, theses rules never match:
>
> 0 0 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:80flags: 0x17/0x02 socket #conn src/32 > 1
> 9 3030 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:80 socket
> 5 216 TPROXY tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> 0 0 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:3128flags: 0x17/0x02 socket #conn src/32 > 1
> 6 2491 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:3128 socket
> 19 800 TPROXY tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>
> Is this an expected behaviour, or a problem in my rules?
>
I think it's because the PREROUTING table has no concept of connection
(conntrack has not started yet), so the number of connection(s) stays
at zero.
Of course, I might be wrong. Someone please CMIIW.
Rgds,
--
FdS Pandu E Poluan
~ IT Optimizer ~
• LOPSA Member #15248
• Blog : http://pepoluan.tumblr.com
• Linked-In : http://id.linkedin.com/in/pepoluan
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: connlimit problem
2011-09-09 8:55 ` Pandu Poluan
@ 2011-09-09 9:07 ` Jan Engelhardt
0 siblings, 0 replies; 17+ messages in thread
From: Jan Engelhardt @ 2011-09-09 9:07 UTC (permalink / raw)
To: Pandu Poluan; +Cc: jean-philippe.menil, netfilter
On Friday 2011-09-09 10:55, Pandu Poluan wrote:
>2011/9/9 Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>:
>> Hi,
>>
>> I try to limit the connection per ip with connlimit in addition to the
>> socket match, with the following rule:
>> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
>> socket -m connlimit --connlimit-above 0 -j DIVERT
>>
>> But as you can see, theses rules never match:
>>
>> 0 0 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:80flags: 0x17/0x02 socket #conn src/32 > 1
>> 9 3030 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:80 socket
>> 5 216 TPROXY tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>> 0 0 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:3128flags: 0x17/0x02 socket #conn src/32 > 1
>> 6 2491 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:3128 socket
>> 19 800 TPROXY tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>>
>> Is this an expected behaviour, or a problem in my rules?
>>
>
>I think it's because the PREROUTING table has no concept of connection
>(conntrack has not started yet), so the number of connection(s) stays
>at zero.
>
>Of course, I might be wrong. Someone please CMIIW.
Indeed your assessment is false.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: connlimit problem
2011-09-09 8:02 connlimit problem Jean-Philippe Menil
2011-09-09 8:55 ` Pandu Poluan
@ 2011-09-09 9:12 ` Jozsef Kadlecsik
2011-09-09 9:21 ` Jean-Philippe Menil
1 sibling, 1 reply; 17+ messages in thread
From: Jozsef Kadlecsik @ 2011-09-09 9:12 UTC (permalink / raw)
To: Jean-Philippe Menil; +Cc: netfilter
On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
> I try to limit the connection per ip with connlimit in addition to the socket
> match, with the following rule:
> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m socket
> -m connlimit --connlimit-above 0 -j DIVERT
>
> But as you can see, theses rules never match:
>
> 0 0 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:80flags: 0x17/0x02 socket #conn src/32 > 1
> 9 3030 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:80 socket
> 5 216 TPROXY tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> 0 0 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:3128flags: 0x17/0x02 socket #conn src/32 > 1
> 6 2491 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:3128 socket
> 19 800 TPROXY tcp -- * * 192.168.100.0/24 0.0.0.0/0
> tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>
> Is this an expected behaviour, or a problem in my rules?
You use the socket match from the PREROUTING chain, where it'll never
match: it's before routing, so the the system could not associate the
packet to a socket yet.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: connlimit problem
2011-09-09 9:12 ` Jozsef Kadlecsik
@ 2011-09-09 9:21 ` Jean-Philippe Menil
2011-09-09 9:22 ` Jozsef Kadlecsik
0 siblings, 1 reply; 17+ messages in thread
From: Jean-Philippe Menil @ 2011-09-09 9:21 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: netfilter
Le 09/09/2011 11:12, Jozsef Kadlecsik a écrit :
> On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
>
>> I try to limit the connection per ip with connlimit in addition to the socket
>> match, with the following rule:
>> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m socket
>> -m connlimit --connlimit-above 0 -j DIVERT
>>
>> But as you can see, theses rules never match:
>>
>> 0 0 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:80flags: 0x17/0x02 socket #conn src/32> 1
>> 9 3030 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:80 socket
>> 5 216 TPROXY tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>> 0 0 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:3128flags: 0x17/0x02 socket #conn src/32> 1
>> 6 2491 DIVERT tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:3128 socket
>> 19 800 TPROXY tcp -- * * 192.168.100.0/24 0.0.0.0/0
>> tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>>
>> Is this an expected behaviour, or a problem in my rules?
> You use the socket match from the PREROUTING chain, where it'll never
> match: it's before routing, so the the system could not associate the
> packet to a socket yet.
>
> Best regards,
> Jozsef
Ok, i see.
So, if my understand is correct, it will be better to do like this:
$IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --dport http -m socket
-j DIVERT
$IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --dport http -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 50080
$IPTABLES -t mangle -N DIVERT
$IPTABLES -t mangle -A DIVERT -j MARK --set-mark 1
$IPTABLES -t mangle -A DIVERT -m connlimit --connlimit-above 2 -j LOG
--log-prefix "CONNLIMIT "
$IPTABLES -t mangle -A DIVERT -m connlimit ! --connlimit-above 2 -j ACCEPT
Regards.
--
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: connlimit problem
2011-09-09 9:21 ` Jean-Philippe Menil
@ 2011-09-09 9:22 ` Jozsef Kadlecsik
2011-09-09 9:25 ` Jean-Philippe Menil
0 siblings, 1 reply; 17+ messages in thread
From: Jozsef Kadlecsik @ 2011-09-09 9:22 UTC (permalink / raw)
To: Jean-Philippe Menil; +Cc: netfilter
[-- Attachment #1: Type: TEXT/PLAIN, Size: 2133 bytes --]
On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
> Le 09/09/2011 11:12, Jozsef Kadlecsik a écrit :
> > On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
> >
> > > I try to limit the connection per ip with connlimit in addition to the
> > > socket
> > > match, with the following rule:
> > > $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
> > > socket
> > > -m connlimit --connlimit-above 0 -j DIVERT
> > >
> > > But as you can see, theses rules never match:
> > >
> > > 0 0 DIVERT tcp -- * * 192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:80flags: 0x17/0x02 socket #conn src/32> 1
> > > 9 3030 DIVERT tcp -- * * 192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:80 socket
> > > 5 216 TPROXY tcp -- * * 192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> > > 0 0 DIVERT tcp -- * * 192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:3128flags: 0x17/0x02 socket #conn src/32> 1
> > > 6 2491 DIVERT tcp -- * * 192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:3128 socket
> > > 19 800 TPROXY tcp -- * * 192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> > >
> > > Is this an expected behaviour, or a problem in my rules?
> > You use the socket match from the PREROUTING chain, where it'll never
> > match: it's before routing, so the the system could not associate the
> > packet to a socket yet.
> >
> > Best regards,
> > Jozsef
> Ok, i see.
> So, if my understand is correct, it will be better to do like this:
>
> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --dport http -m socket -j
^^^^^^^^^^ ^^^^^^^^^
Here again....
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: connlimit problem
2011-09-09 9:22 ` Jozsef Kadlecsik
@ 2011-09-09 9:25 ` Jean-Philippe Menil
2011-09-09 9:33 ` Jozsef Kadlecsik
0 siblings, 1 reply; 17+ messages in thread
From: Jean-Philippe Menil @ 2011-09-09 9:25 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: netfilter
Le 09/09/2011 11:22, Jozsef Kadlecsik a écrit :
> On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
>
>> Le 09/09/2011 11:12, Jozsef Kadlecsik a écrit :
>>> On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
>>>
>>>> I try to limit the connection per ip with connlimit in addition to the
>>>> socket
>>>> match, with the following rule:
>>>> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
>>>> socket
>>>> -m connlimit --connlimit-above 0 -j DIVERT
>>>>
>>>> But as you can see, theses rules never match:
>>>>
>>>> 0 0 DIVERT tcp -- * * 192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:80flags: 0x17/0x02 socket #conn src/32> 1
>>>> 9 3030 DIVERT tcp -- * * 192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:80 socket
>>>> 5 216 TPROXY tcp -- * * 192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>>>> 0 0 DIVERT tcp -- * * 192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:3128flags: 0x17/0x02 socket #conn src/32> 1
>>>> 6 2491 DIVERT tcp -- * * 192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:3128 socket
>>>> 19 800 TPROXY tcp -- * * 192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>>>>
>>>> Is this an expected behaviour, or a problem in my rules?
>>> You use the socket match from the PREROUTING chain, where it'll never
>>> match: it's before routing, so the the system could not associate the
>>> packet to a socket yet.
>>>
>>> Best regards,
>>> Jozsef
>> Ok, i see.
>> So, if my understand is correct, it will be better to do like this:
>>
>> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --dport http -m socket -j
> ^^^^^^^^^^ ^^^^^^^^^
> Here again....
>
> Best regards,
> Jozsef
> -
No, it's working as expected.
I have just followed the documentation in:
Documentation/networking/tproxy.txt
Regards.
--
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: connlimit problem
2011-09-09 9:25 ` Jean-Philippe Menil
@ 2011-09-09 9:33 ` Jozsef Kadlecsik
0 siblings, 0 replies; 17+ messages in thread
From: Jozsef Kadlecsik @ 2011-09-09 9:33 UTC (permalink / raw)
To: Jean-Philippe Menil; +Cc: netfilter
[-- Attachment #1: Type: TEXT/PLAIN, Size: 2638 bytes --]
On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
> Le 09/09/2011 11:22, Jozsef Kadlecsik a écrit :
> > On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
> >
> > > Le 09/09/2011 11:12, Jozsef Kadlecsik a écrit :
> > > > On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
> > > >
> > > > > I try to limit the connection per ip with connlimit in addition to the
> > > > > socket
> > > > > match, with the following rule:
> > > > > $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
> > > > > socket
> > > > > -m connlimit --connlimit-above 0 -j DIVERT
> > > > >
> > > > > But as you can see, theses rules never match:
> > > > >
> > > > > 0 0 DIVERT tcp -- * * 192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:80flags: 0x17/0x02 socket #conn src/32> 1
> > > > > 9 3030 DIVERT tcp -- * * 192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:80 socket
> > > > > 5 216 TPROXY tcp -- * * 192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> > > > > 0 0 DIVERT tcp -- * * 192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:3128flags: 0x17/0x02 socket #conn src/32> 1
> > > > > 6 2491 DIVERT tcp -- * * 192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:3128 socket
> > > > > 19 800 TPROXY tcp -- * * 192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> > > > >
> > > > > Is this an expected behaviour, or a problem in my rules?
> > > > You use the socket match from the PREROUTING chain, where it'll never
> > > > match: it's before routing, so the the system could not associate the
> > > > packet to a socket yet.
> > > >
> > > Ok, i see.
> > > So, if my understand is correct, it will be better to do like this:
> > >
> > > $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --dport http -m socket -j
> > ^^^^^^^^^^ ^^^^^^^^^
> > Here again....
> >
> No, it's working as expected.
> I have just followed the documentation in:
> Documentation/networking/tproxy.txt
OK, the socket match not only checks but lookups the matching sockets. So
it does indeed work from the PREROUTING chain.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2011-09-09 9:33 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-29 14:02 connlimit problem kamil kapturkiewicz
-- strict thread matches above, loose matches on Subject: below --
2004-07-14 9:37 Robert Czechonski
2004-07-14 10:00 ` Antony Stone
2004-07-14 10:02 ` Sven Schuster
2005-01-26 14:26 Connlimit problem Omar Garcia
[not found] ` <41F7AFBE.8080509@arcoscom.com>
2005-01-26 15:04 ` Omar Garcia
2005-01-26 16:00 ` Samuel Jean
2005-01-26 15:42 ` Samuel Jean
2005-01-26 15:59 ` Omar Garcia
2011-09-09 8:02 connlimit problem Jean-Philippe Menil
2011-09-09 8:55 ` Pandu Poluan
2011-09-09 9:07 ` Jan Engelhardt
2011-09-09 9:12 ` Jozsef Kadlecsik
2011-09-09 9:21 ` Jean-Philippe Menil
2011-09-09 9:22 ` Jozsef Kadlecsik
2011-09-09 9:25 ` Jean-Philippe Menil
2011-09-09 9:33 ` Jozsef Kadlecsik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.