From: "Peter" <chenlf@cibn.com>
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: netfilter@lists.netfilter.org
Subject: Re: how to use ipt_limit.o?
Date: Mon, 9 Dec 2002 17:57:16 +0800 [thread overview]
Message-ID: <007e01c29f69$5b3c82f0$9801010a@winxp> (raw)
In-Reply-To: 1039427039.8900.11.camel@elendil.intranet.cartel-securite.net
iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
iptables v1.2.7a: Couldn't load target `USER_CHAIN':/usr/local/lib/iptables/libipt_USER_CHAIN.so: cannot open shared object file: No such file or directory
why?
----- Original Message -----
From: "Cedric Blancher" <blancher@cartel-securite.fr>
To: "Peter" <chenlf@cibn.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Monday, December 09, 2002 5:43 PM
Subject: Re: how to use ipt_limit.o?
> Le lun 09/12/2002 ?02:55, Peter a écrit :
> > i am using redhat73 kernel 2.4.18-18.7
> > i want to limit number of httpd access per/client
> > i use
> > # insmod ipt_limit.o
> > # iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT
> > then i get error:
> > iptables: No chain/target/match by that name
> > who can help me
>
> Your syntax is wrong, so RTFM ;)
>
> # iptables -m limit --help
>
> cbr@elendil:~$ sudo iptables -m limit --help
> iptables v1.2.7a
> [...]
> limit v1.2.7a options:
> --limit avg max average match rate: default 3/hour
> [Packets per second unless followed by
> /sec /minute /hour /day postfixes]
> --limit-burst number number to match in a burst, default 5
>
> limit match is described in Linux filtering HOWTO you can read on
> http://www.netfilter.org/.
>
> By the way, limit match is aimed to match packets that are _under_ the
> specified (via --limit argument) limit. If you want to match packets
> over the limit, you have to modify you ruleset and introduce a user
> chain dedicated to this need until ! --limit is available.
>
> # iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
> # iptables -A USER_CHAIN -p tcp --syn --dport http \
> -m limit --limit 4/s -j RETURN
> # iptables -A USER_CHAIN -j REJECT
>
> So you REJECT packets over 4/s limit. There's been a thread on this
> topic earlier, you should search list archives.
>
> --
> Cédric Blancher <blancher@cartel-securite.fr>
> IT systems and networks security expert - Cartel Sécurit?
> Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
> PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
>
next prev parent reply other threads:[~2002-12-09 9:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-09 1:55 how to use ipt_limit.o? Peter
2002-12-09 6:29 ` hare ram
2002-12-09 9:43 ` Cedric Blancher
2002-12-09 9:57 ` Peter [this message]
2002-12-09 10:05 ` Cedric Blancher
2002-12-09 10:29 ` Rob Sterenborg
2002-12-10 1:53 ` Peter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='007e01c29f69$5b3c82f0$9801010a@winxp' \
--to=chenlf@cibn.com \
--cc=blancher@cartel-securite.fr \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox