connlimit problem

All of lore.kernel.org
 help / color / mirror / Atom feed

* connlimit problem
@ 2004-03-29 14:02 kamil kapturkiewicz
  0 siblings, 0 replies; 17+ messages in thread
From: kamil kapturkiewicz @ 2004-03-29 14:02 UTC (permalink / raw)
  To: netfilter

hi

after run kernel 2.4.25 with connlimit from latest pom there is lots of:

kernel: ipt_connlimit: Oops: invalid ct state ?

in syslog.

i try to find solve in google, but i cant find answer what to do whit this.

can anyone help me ? please ;)

^ permalink raw reply	[flat|nested] 17+ messages in thread

* connlimit problem
@ 2004-07-14  9:37 Robert Czechonski
  2004-07-14 10:00 ` Antony Stone
  2004-07-14 10:02 ` Sven Schuster
  0 siblings, 2 replies; 17+ messages in thread
From: Robert Czechonski @ 2004-07-14  9:37 UTC (permalink / raw)
  To: netfilter

Hello
I have kernel 2.4.25 and iptables 1.2.11. When I typed:

iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 80 -j REJECT

The system pesponded:

iptables v1.2.11: no command specified
Try `iptables -h' or 'iptables --help' for more information.

Anyone can tell me what did I wrong?
-- 

Robert



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: connlimit problem
  2004-07-14  9:37 Robert Czechonski
@ 2004-07-14 10:00 ` Antony Stone
  2004-07-14 10:02 ` Sven Schuster
  1 sibling, 0 replies; 17+ messages in thread
From: Antony Stone @ 2004-07-14 10:00 UTC (permalink / raw)
  To: netfilter

On Wednesday 14 July 2004 10:37 am, Robert Czechonski wrote:

> Hello
> I have kernel 2.4.25 and iptables 1.2.11. When I typed:
>
> iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 80 -j
> REJECT
>
> The system responded:
>
> iptables v1.2.11: no command specified
> Try `iptables -h' or 'iptables --help' for more information.
>
> Anyone can tell me what did I wrong?

Sure.   You forget to tell iptables where you wanted to place the rule.   You 
have to specify "-I <chain>" or "-A <chain>" where <chain> is one of INPUT, 
OUTPUT or FORWARD.

I would assume you meant to put this rule in your INPUT or FORWARD chains, 
considering what it does.

Regards,

Antony.

-- 
"The problem with television is that the people must sit and keep their eyes 
glued on a screen; the average American family hasn't time for it."

 - New York Times, following a demonstration at the 1939 World's Fair.

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: connlimit problem
  2004-07-14  9:37 Robert Czechonski
  2004-07-14 10:00 ` Antony Stone
@ 2004-07-14 10:02 ` Sven Schuster
  1 sibling, 0 replies; 17+ messages in thread
From: Sven Schuster @ 2004-07-14 10:02 UTC (permalink / raw)
  To: Robert Czechonski; +Cc: netfilter

[-- Attachment #1: Type: text/plain, Size: 932 bytes --]


Hi Robert,

On Wed, Jul 14, 2004 at 11:37:06AM +0200, Robert Czechonski told us:
> Hello
> I have kernel 2.4.25 and iptables 1.2.11. When I typed:
> 
> iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 80 -j REJECT

try iptables -A INPUT   ....
or           -A OUTPUT  ....
or           -A FORWARD ....

depending on which chain you want this rule to append to (looking at
your example, probably INPUT??). Or use

iptables -I <chainname> <number> ....

to insert the rule at rule number <number>
in the chain.


HTH

Sven

> 
> The system pesponded:
> 
> iptables v1.2.11: no command specified
> Try `iptables -h' or 'iptables --help' for more information.
> 
> Anyone can tell me what did I wrong?
> -- 
> 
> Robert
> 

-- 
Linux zion 2.6.8-rc1 #3 Mon Jul 12 22:38:00 CEST 2004 i686 athlon i386 GNU/Linux
 11:59:01  up 1 day, 13:16,  2 users,  load average: 0.02, 0.04, 0.01

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Connlimit problem
@ 2005-01-26 14:26 Omar Garcia
       [not found] ` <41F7AFBE.8080509@arcoscom.com>
  2005-01-26 15:42 ` Samuel Jean
  0 siblings, 2 replies; 17+ messages in thread
From: Omar Garcia @ 2005-01-26 14:26 UTC (permalink / raw)
  To: netfilter

Hi list,

I try to configurate a transparent bridge with QoS
I have a pentium computer with two network cards, kernel 2.6.8 with IMQ,WRR,IPP2P and other more patched.

The problem is when i try to include the following rule:

 iptables -A PREROUTING -t mangle -m connlimit --connlimit-above 100 -j DROP

If i tried in two steps, i confirm that the module connlimit is installed:

BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
    iptables v1.2.11: You must specify `--connlimit-above'
    Try `iptables -h' or 'iptables --help' for more information.

    
 BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit --connlimit-above 12 -j DROP
     iptables: No chain/target/match by that name
Any idea????

Thanks in advange.

Regards

^ permalink raw reply	[flat|nested] 17+ messages in thread

[parent not found: <41F7AFBE.8080509@arcoscom.com>]

* Re: Connlimit problem
       [not found] ` <41F7AFBE.8080509@arcoscom.com>
@ 2005-01-26 15:04   ` Omar Garcia
  2005-01-26 16:00     ` Samuel Jean
  0 siblings, 1 reply; 17+ messages in thread
From: Omar Garcia @ 2005-01-26 15:04 UTC (permalink / raw)
  To: Samuel Díaz García; +Cc: netfilter


No effect, the same responsed.

# iptables -t filter -A FORWARD -m connlimit --connlimit-above 100 -j DROP
iptables: No chain/target/match by that name

# iptables -t filter -A OUTPUT -m connlimit --connlimit-above 100 -j DROP
iptables: No chain/target/match by that name


----- Original Message ----- 
From: "Samuel Díaz García" <samueldg@arcoscom.com>
To: "Omar Garcia" <omar.garcia@fractalia.biz>
Sent: Wednesday, January 26, 2005 3:57 PM
Subject: Re: Connlimit problem


> It is working in "filter" table, not in mangle.
>
> Try it, I think connlimit is only for filters.
>
> Say us.
>
> Omar Garcia escribió:
> > Hi list,
> >
> > I try to configurate a transparent bridge with QoS
> > I have a pentium computer with two network cards, kernel 2.6.8 with
IMQ,WRR,IPP2P and other more patched.
> >
> > The problem is when i try to include the following rule:
> >
> >  iptables -A PREROUTING -t mangle -m connlimit --connlimit-above 100 -j
DROP
> >
> > If i tried in two steps, i confirm that the module connlimit is
installed:
> >
> > BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
> >     iptables v1.2.11: You must specify `--connlimit-above'
> >     Try `iptables -h' or 'iptables --help' for more information.
> >
> >
> >  BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m
connlimit --connlimit-above 12 -j DROP
> >      iptables: No chain/target/match by that name
> > Any idea????
> >
> > Thanks in advange.
> >
> > Regards
> >
> >
>
> -- 
>     Samuel Díaz García
>      Director Gerente
> ArcosCom Wireless, S.L.L.
>
> mailto:samueldg@arcoscom.com
> http://www.arcoscom.com
> móvil: 651 93 72 48
> tlfn/fax: 956 70 13 15
>




^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: Connlimit problem
  2005-01-26 15:04   ` Omar Garcia
@ 2005-01-26 16:00     ` Samuel Jean
  0 siblings, 0 replies; 17+ messages in thread
From: Samuel Jean @ 2005-01-26 16:00 UTC (permalink / raw)
  To: Omar Garcia; +Cc: netfilter, samueldg

On Wed, January 26, 2005 10:04 am, Omar Garcia said:
>
> No effect, the same responsed.
>
> # iptables -t filter -A FORWARD -m connlimit --connlimit-above 100 -j DROP
> iptables: No chain/target/match by that name
>
> # iptables -t filter -A OUTPUT -m connlimit --connlimit-above 100 -j DROP
> iptables: No chain/target/match by that name

To add on my previous post, if you in-kernel compiled the connlimit
code, then only :

cat /proc/net/ip_tables_matches

can tell you wheter it is properly loaded or not.

>
>
> ----- Original Message -----
> From: "Samuel Díaz García" <samueldg@arcoscom.com>
> To: "Omar Garcia" <omar.garcia@fractalia.biz>
> Sent: Wednesday, January 26, 2005 3:57 PM
> Subject: Re: Connlimit problem
>
>
>> It is working in "filter" table, not in mangle.
>>
>> Try it, I think connlimit is only for filters.
>>
>> Say us.

Samuel:

A match type module is valid for any tables. Only the
hook matters as some module can't filter some situation.

Exemple: mac match can't filter into OUTPUT or POSTROUTING chains.

What maybe made you confused is that a target type module cares
about the table.

>>
>> --
>>     Samuel Díaz García
>>      Director Gerente
>> ArcosCom Wireless, S.L.L.
>>
>> mailto:samueldg@arcoscom.com
>> http://www.arcoscom.com
>> móvil: 651 93 72 48
>> tlfn/fax: 956 70 13 15
>>

I like your name 8)

HTH,

Samuel




^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: Connlimit problem
  2005-01-26 14:26 Connlimit problem Omar Garcia
       [not found] ` <41F7AFBE.8080509@arcoscom.com>
@ 2005-01-26 15:42 ` Samuel Jean
  2005-01-26 15:59   ` Omar Garcia
  1 sibling, 1 reply; 17+ messages in thread
From: Samuel Jean @ 2005-01-26 15:42 UTC (permalink / raw)
  To: Omar Garcia; +Cc: netfilter

On Wed, January 26, 2005 9:26 am, Omar Garcia said:
> Hi list,

Hi Omar!

> [...]
> If i tried in two steps, i confirm that the module connlimit is installed:
>
> BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
>     iptables v1.2.11: You must specify `--connlimit-above'
>     Try `iptables -h' or 'iptables --help' for more information.

This doesn't confirm that it is. This only tests the iptables 'module'
which I will call, an extension library.

>
>
>  BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
> --connlimit-above 12 -j DROP
>      iptables: No chain/target/match by that name

This means the kernel module (called ipt_connlimit) is not loadable or
compiled at all.

> Any idea????

Yes, patch your kernel or enable this module.

If unsure:

lsmod | grep ipt_connlimit

No result? Then 'modprobe ipt_connlimit'

It works ? Then make sure it properly registered against netfilter:

cat /proc/net/ip_tables_matches | grep connlimit

>
> Thanks in advange.
>
> Regards
>

HTH,

Samuel



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: Connlimit problem
  2005-01-26 15:42 ` Samuel Jean
@ 2005-01-26 15:59   ` Omar Garcia
  0 siblings, 0 replies; 17+ messages in thread
From: Omar Garcia @ 2005-01-26 15:59 UTC (permalink / raw)
  To: netfilter

Hi all!!

Thanks.!!
Now I know that the module isn´t compiled. (cat /proc/net/......)
I had patched kernel source with POMng but for any reason the connlimit
patch didn´t apply. I am recompiling a new kernel and patched it from zero.

Thanks, I`ll post my advances.
Regards.


----- Original Message ----- 
From: "Samuel Jean" <sj-netfilter@cookinglinux.org>
To: "Omar Garcia" <omar.garcia@fractalia.biz>
Cc: <netfilter@lists.netfilter.org>
Sent: Wednesday, January 26, 2005 4:42 PM
Subject: Re: Connlimit problem


> On Wed, January 26, 2005 9:26 am, Omar Garcia said:
> > Hi list,
>
> Hi Omar!
>
> > [...]
> > If i tried in two steps, i confirm that the module connlimit is
installed:
> >
> > BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
> >     iptables v1.2.11: You must specify `--connlimit-above'
> >     Try `iptables -h' or 'iptables --help' for more information.
>
> This doesn't confirm that it is. This only tests the iptables 'module'
> which I will call, an extension library.
>
> >
> >
> >  BridgeWall:/home/omar# iptables -A PREROUTING -t mangle -m connlimit
> > --connlimit-above 12 -j DROP
> >      iptables: No chain/target/match by that name
>
> This means the kernel module (called ipt_connlimit) is not loadable or
> compiled at all.
>
> > Any idea????
>
> Yes, patch your kernel or enable this module.
>
> If unsure:
>
> lsmod | grep ipt_connlimit
>
> No result? Then 'modprobe ipt_connlimit'
>
> It works ? Then make sure it properly registered against netfilter:
>
> cat /proc/net/ip_tables_matches | grep connlimit
>
> >
> > Thanks in advange.
> >
> > Regards
> >
>
> HTH,
>
> Samuel
>
>




^ permalink raw reply	[flat|nested] 17+ messages in thread

* connlimit problem
@ 2011-09-09  8:02 Jean-Philippe Menil
  2011-09-09  8:55 ` Pandu Poluan
  2011-09-09  9:12 ` Jozsef Kadlecsik
  0 siblings, 2 replies; 17+ messages in thread
From: Jean-Philippe Menil @ 2011-09-09  8:02 UTC (permalink / raw)
  To: netfilter

Hi,

I try to limit the connection per ip with connlimit in addition to the 
socket match, with the following rule:
$IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m 
socket -m connlimit --connlimit-above 0 -j DIVERT

But as you can see, theses rules  never match:

     0     0 DIVERT     tcp  --  *      *       192.168.100.0/24     
0.0.0.0/0            tcp dpt:80flags: 0x17/0x02 socket #conn src/32 > 1
     9  3030 DIVERT     tcp  --  *      *       192.168.100.0/24     
0.0.0.0/0            tcp dpt:80 socket
     5   216 TPROXY     tcp  --  *      *       192.168.100.0/24     
0.0.0.0/0            tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
     0     0 DIVERT     tcp  --  *      *       192.168.100.0/24     
0.0.0.0/0            tcp dpt:3128flags: 0x17/0x02 socket #conn src/32 > 1
     6  2491 DIVERT     tcp  --  *      *       192.168.100.0/24     
0.0.0.0/0            tcp dpt:3128 socket
    19   800 TPROXY     tcp  --  *      *       192.168.100.0/24     
0.0.0.0/0            tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1

Is this an expected behaviour, or a problem in my rules?

Regards

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: connlimit problem
  2011-09-09  8:02 connlimit problem Jean-Philippe Menil
@ 2011-09-09  8:55 ` Pandu Poluan
  2011-09-09  9:07   ` Jan Engelhardt
  2011-09-09  9:12 ` Jozsef Kadlecsik
  1 sibling, 1 reply; 17+ messages in thread
From: Pandu Poluan @ 2011-09-09  8:55 UTC (permalink / raw)
  To: jean-philippe.menil; +Cc: netfilter

2011/9/9 Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>:
> Hi,
>
> I try to limit the connection per ip with connlimit in addition to the
> socket match, with the following rule:
> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
> socket -m connlimit --connlimit-above 0 -j DIVERT
>
> But as you can see, theses rules  never match:
>
>    0     0 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>            tcp dpt:80flags: 0x17/0x02 socket #conn src/32 > 1
>    9  3030 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>            tcp dpt:80 socket
>    5   216 TPROXY     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>            tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>    0     0 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>            tcp dpt:3128flags: 0x17/0x02 socket #conn src/32 > 1
>    6  2491 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>            tcp dpt:3128 socket
>   19   800 TPROXY     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>            tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>
> Is this an expected behaviour, or a problem in my rules?
>

I think it's because the PREROUTING table has no concept of connection
(conntrack has not started yet), so the number of connection(s) stays
at zero.

Of course, I might be wrong. Someone please CMIIW.

Rgds,
-- 
FdS Pandu E Poluan
~ IT Optimizer ~

 • LOPSA Member #15248
 • Blog : http://pepoluan.tumblr.com
 • Linked-In : http://id.linkedin.com/in/pepoluan

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: connlimit problem
  2011-09-09  8:55 ` Pandu Poluan
@ 2011-09-09  9:07   ` Jan Engelhardt
  0 siblings, 0 replies; 17+ messages in thread
From: Jan Engelhardt @ 2011-09-09  9:07 UTC (permalink / raw)
  To: Pandu Poluan; +Cc: jean-philippe.menil, netfilter

On Friday 2011-09-09 10:55, Pandu Poluan wrote:

>2011/9/9 Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>:
>> Hi,
>>
>> I try to limit the connection per ip with connlimit in addition to the
>> socket match, with the following rule:
>> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
>> socket -m connlimit --connlimit-above 0 -j DIVERT
>>
>> But as you can see, theses rules  never match:
>>
>>    0     0 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>>            tcp dpt:80flags: 0x17/0x02 socket #conn src/32 > 1
>>    9  3030 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>>            tcp dpt:80 socket
>>    5   216 TPROXY     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>>            tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>>    0     0 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>>            tcp dpt:3128flags: 0x17/0x02 socket #conn src/32 > 1
>>    6  2491 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>>            tcp dpt:3128 socket
>>   19   800 TPROXY     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>>            tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>>
>> Is this an expected behaviour, or a problem in my rules?
>>
>
>I think it's because the PREROUTING table has no concept of connection
>(conntrack has not started yet), so the number of connection(s) stays
>at zero.
>
>Of course, I might be wrong. Someone please CMIIW.

Indeed your assessment is false.

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: connlimit problem
  2011-09-09  8:02 connlimit problem Jean-Philippe Menil
  2011-09-09  8:55 ` Pandu Poluan
@ 2011-09-09  9:12 ` Jozsef Kadlecsik
  2011-09-09  9:21   ` Jean-Philippe Menil
  1 sibling, 1 reply; 17+ messages in thread
From: Jozsef Kadlecsik @ 2011-09-09  9:12 UTC (permalink / raw)
  To: Jean-Philippe Menil; +Cc: netfilter

On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:

> I try to limit the connection per ip with connlimit in addition to the socket
> match, with the following rule:
> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m socket
> -m connlimit --connlimit-above 0 -j DIVERT
> 
> But as you can see, theses rules  never match:
> 
>     0     0 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
> tcp dpt:80flags: 0x17/0x02 socket #conn src/32 > 1
>     9  3030 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
> tcp dpt:80 socket
>     5   216 TPROXY     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
> tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>     0     0 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
> tcp dpt:3128flags: 0x17/0x02 socket #conn src/32 > 1
>     6  2491 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
> tcp dpt:3128 socket
>    19   800 TPROXY     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
> tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> 
> Is this an expected behaviour, or a problem in my rules?

You use the socket match from the PREROUTING chain, where it'll never 
match: it's before routing, so the the system could not associate the 
packet to a socket yet.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: connlimit problem
  2011-09-09  9:12 ` Jozsef Kadlecsik
@ 2011-09-09  9:21   ` Jean-Philippe Menil
  2011-09-09  9:22     ` Jozsef Kadlecsik
  0 siblings, 1 reply; 17+ messages in thread
From: Jean-Philippe Menil @ 2011-09-09  9:21 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter

Le 09/09/2011 11:12, Jozsef Kadlecsik a écrit :
> On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
>
>> I try to limit the connection per ip with connlimit in addition to the socket
>> match, with the following rule:
>> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m socket
>> -m connlimit --connlimit-above 0 -j DIVERT
>>
>> But as you can see, theses rules  never match:
>>
>>      0     0 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>> tcp dpt:80flags: 0x17/0x02 socket #conn src/32>  1
>>      9  3030 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>> tcp dpt:80 socket
>>      5   216 TPROXY     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>> tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>>      0     0 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>> tcp dpt:3128flags: 0x17/0x02 socket #conn src/32>  1
>>      6  2491 DIVERT     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>> tcp dpt:3128 socket
>>     19   800 TPROXY     tcp  --  *      *       192.168.100.0/24     0.0.0.0/0
>> tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>>
>> Is this an expected behaviour, or a problem in my rules?
> You use the socket match from the PREROUTING chain, where it'll never
> match: it's before routing, so the the system could not associate the
> packet to a socket yet.
>
> Best regards,
> Jozsef
Ok, i see.
So, if my understand is correct, it will be better to do like this:

$IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --dport http -m socket 
-j DIVERT
$IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --dport http -j TPROXY 
--tproxy-mark 0x1/0x1 --on-port 50080

$IPTABLES -t mangle -N DIVERT
$IPTABLES -t mangle -A DIVERT -j MARK --set-mark 1
$IPTABLES -t mangle -A DIVERT -m connlimit --connlimit-above 2 -j LOG 
--log-prefix "CONNLIMIT "
$IPTABLES -t mangle -A DIVERT -m connlimit ! --connlimit-above 2 -j ACCEPT

Regards.

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: connlimit problem
  2011-09-09  9:21   ` Jean-Philippe Menil
@ 2011-09-09  9:22     ` Jozsef Kadlecsik
  2011-09-09  9:25       ` Jean-Philippe Menil
  0 siblings, 1 reply; 17+ messages in thread
From: Jozsef Kadlecsik @ 2011-09-09  9:22 UTC (permalink / raw)
  To: Jean-Philippe Menil; +Cc: netfilter

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2133 bytes --]

On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:

> Le 09/09/2011 11:12, Jozsef Kadlecsik a écrit :
> > On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
> > 
> > > I try to limit the connection per ip with connlimit in addition to the
> > > socket
> > > match, with the following rule:
> > > $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
> > > socket
> > > -m connlimit --connlimit-above 0 -j DIVERT
> > > 
> > > But as you can see, theses rules  never match:
> > > 
> > >      0     0 DIVERT     tcp  --  *      *       192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:80flags: 0x17/0x02 socket #conn src/32>  1
> > >      9  3030 DIVERT     tcp  --  *      *       192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:80 socket
> > >      5   216 TPROXY     tcp  --  *      *       192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> > >      0     0 DIVERT     tcp  --  *      *       192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:3128flags: 0x17/0x02 socket #conn src/32>  1
> > >      6  2491 DIVERT     tcp  --  *      *       192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:3128 socket
> > >     19   800 TPROXY     tcp  --  *      *       192.168.100.0/24
> > > 0.0.0.0/0
> > > tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> > > 
> > > Is this an expected behaviour, or a problem in my rules?
> > You use the socket match from the PREROUTING chain, where it'll never
> > match: it's before routing, so the the system could not associate the
> > packet to a socket yet.
> > 
> > Best regards,
> > Jozsef
> Ok, i see.
> So, if my understand is correct, it will be better to do like this:
> 
> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --dport http -m socket -j
                         ^^^^^^^^^^                             ^^^^^^^^^
Here again....

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: connlimit problem
  2011-09-09  9:22     ` Jozsef Kadlecsik
@ 2011-09-09  9:25       ` Jean-Philippe Menil
  2011-09-09  9:33         ` Jozsef Kadlecsik
  0 siblings, 1 reply; 17+ messages in thread
From: Jean-Philippe Menil @ 2011-09-09  9:25 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter

Le 09/09/2011 11:22, Jozsef Kadlecsik a écrit :
> On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
>
>> Le 09/09/2011 11:12, Jozsef Kadlecsik a écrit :
>>> On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
>>>
>>>> I try to limit the connection per ip with connlimit in addition to the
>>>> socket
>>>> match, with the following rule:
>>>> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
>>>> socket
>>>> -m connlimit --connlimit-above 0 -j DIVERT
>>>>
>>>> But as you can see, theses rules  never match:
>>>>
>>>>       0     0 DIVERT     tcp  --  *      *       192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:80flags: 0x17/0x02 socket #conn src/32>   1
>>>>       9  3030 DIVERT     tcp  --  *      *       192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:80 socket
>>>>       5   216 TPROXY     tcp  --  *      *       192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>>>>       0     0 DIVERT     tcp  --  *      *       192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:3128flags: 0x17/0x02 socket #conn src/32>   1
>>>>       6  2491 DIVERT     tcp  --  *      *       192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:3128 socket
>>>>      19   800 TPROXY     tcp  --  *      *       192.168.100.0/24
>>>> 0.0.0.0/0
>>>> tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
>>>>
>>>> Is this an expected behaviour, or a problem in my rules?
>>> You use the socket match from the PREROUTING chain, where it'll never
>>> match: it's before routing, so the the system could not associate the
>>> packet to a socket yet.
>>>
>>> Best regards,
>>> Jozsef
>> Ok, i see.
>> So, if my understand is correct, it will be better to do like this:
>>
>> $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --dport http -m socket -j
>                           ^^^^^^^^^^                             ^^^^^^^^^
> Here again....
>
> Best regards,
> Jozsef
> -
No, it's working as expected.
I have just followed the documentation in:
Documentation/networking/tproxy.txt

Regards.

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09


^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: connlimit problem
  2011-09-09  9:25       ` Jean-Philippe Menil
@ 2011-09-09  9:33         ` Jozsef Kadlecsik
  0 siblings, 0 replies; 17+ messages in thread
From: Jozsef Kadlecsik @ 2011-09-09  9:33 UTC (permalink / raw)
  To: Jean-Philippe Menil; +Cc: netfilter

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2638 bytes --]

On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:

> Le 09/09/2011 11:22, Jozsef Kadlecsik a écrit :
> > On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
> > 
> > > Le 09/09/2011 11:12, Jozsef Kadlecsik a écrit :
> > > > On Fri, 9 Sep 2011, Jean-Philippe Menil wrote:
> > > > 
> > > > > I try to limit the connection per ip with connlimit in addition to the
> > > > > socket
> > > > > match, with the following rule:
> > > > > $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --syn --dport http -m
> > > > > socket
> > > > > -m connlimit --connlimit-above 0 -j DIVERT
> > > > > 
> > > > > But as you can see, theses rules  never match:
> > > > > 
> > > > >       0     0 DIVERT     tcp  --  *      *       192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:80flags: 0x17/0x02 socket #conn src/32>   1
> > > > >       9  3030 DIVERT     tcp  --  *      *       192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:80 socket
> > > > >       5   216 TPROXY     tcp  --  *      *       192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:80 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> > > > >       0     0 DIVERT     tcp  --  *      *       192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:3128flags: 0x17/0x02 socket #conn src/32>   1
> > > > >       6  2491 DIVERT     tcp  --  *      *       192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:3128 socket
> > > > >      19   800 TPROXY     tcp  --  *      *       192.168.100.0/24
> > > > > 0.0.0.0/0
> > > > > tcp dpt:3128 TPROXY redirect 0.0.0.0:50080 mark 0x1/0x1
> > > > > 
> > > > > Is this an expected behaviour, or a problem in my rules?
> > > > You use the socket match from the PREROUTING chain, where it'll never
> > > > match: it's before routing, so the the system could not associate the
> > > > packet to a socket yet.
> > > > 
> > > Ok, i see.
> > > So, if my understand is correct, it will be better to do like this:
> > > 
> > > $IPTABLES -t mangle -A PREROUTING -s $LAN -p tcp --dport http -m socket -j
> >                           ^^^^^^^^^^                             ^^^^^^^^^
> > Here again....
> > 
> No, it's working as expected.
> I have just followed the documentation in:
> Documentation/networking/tproxy.txt

OK, the socket match not only checks but lookups the matching sockets. So 
it does indeed work from the PREROUTING chain.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2011-09-09  9:33 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-29 14:02 connlimit problem kamil kapturkiewicz
  -- strict thread matches above, loose matches on Subject: below --
2004-07-14  9:37 Robert Czechonski
2004-07-14 10:00 ` Antony Stone
2004-07-14 10:02 ` Sven Schuster
2005-01-26 14:26 Connlimit problem Omar Garcia
     [not found] ` <41F7AFBE.8080509@arcoscom.com>
2005-01-26 15:04   ` Omar Garcia
2005-01-26 16:00     ` Samuel Jean
2005-01-26 15:42 ` Samuel Jean
2005-01-26 15:59   ` Omar Garcia
2011-09-09  8:02 connlimit problem Jean-Philippe Menil
2011-09-09  8:55 ` Pandu Poluan
2011-09-09  9:07   ` Jan Engelhardt
2011-09-09  9:12 ` Jozsef Kadlecsik
2011-09-09  9:21   ` Jean-Philippe Menil
2011-09-09  9:22     ` Jozsef Kadlecsik
2011-09-09  9:25       ` Jean-Philippe Menil
2011-09-09  9:33         ` Jozsef Kadlecsik

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.