how to use ipt

Linux Netfilter discussions
 help / color / mirror / Atom feed

* how to use ipt_limit.o?
@ 2002-12-09  1:55 Peter
  2002-12-09  6:29 ` hare ram
  2002-12-09  9:43 ` Cedric Blancher
  0 siblings, 2 replies; 7+ messages in thread
From: Peter @ 2002-12-09  1:55 UTC (permalink / raw)
  To: netfilter

i am using redhat73 kernel 2.4.18-18.7 
i want to limit number of httpd access per/client 
i use 
# insmod  ipt_limit.o
# iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT
then i get error:
iptables: No chain/target/match by that name
who can help me 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to use ipt_limit.o?
  2002-12-09  1:55 how to use ipt_limit.o? Peter
@ 2002-12-09  6:29 ` hare ram
  2002-12-09  9:43 ` Cedric Blancher
  1 sibling, 0 replies; 7+ messages in thread
From: hare ram @ 2002-12-09  6:29 UTC (permalink / raw)
  To: Peter, netfilter

Did you Patched the Kernel with POM
if not read netfiter.org p-o-m

hare
----- Original Message -----
From: "Peter" <chenlf@cibn.com>
To: <netfilter@lists.netfilter.org>
Sent: Monday, December 09, 2002 7:25 AM
Subject: how to use ipt_limit.o?


> i am using redhat73 kernel 2.4.18-18.7
> i want to limit number of httpd access per/client
> i use
> # insmod  ipt_limit.o
> # iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above
4 -j REJECT
> then i get error:
> iptables: No chain/target/match by that name
> who can help me



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to use ipt_limit.o?
  2002-12-09  1:55 how to use ipt_limit.o? Peter
  2002-12-09  6:29 ` hare ram
@ 2002-12-09  9:43 ` Cedric Blancher
  2002-12-09  9:57   ` Peter
  1 sibling, 1 reply; 7+ messages in thread
From: Cedric Blancher @ 2002-12-09  9:43 UTC (permalink / raw)
  To: Peter; +Cc: netfilter

Le lun 09/12/2002 à 02:55, Peter a écrit :
> i am using redhat73 kernel 2.4.18-18.7 
> i want to limit number of httpd access per/client 
> i use 
> # insmod  ipt_limit.o
> # iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT
> then i get error:
> iptables: No chain/target/match by that name
> who can help me

Your syntax is wrong, so RTFM ;)

# iptables -m limit --help

cbr@elendil:~$ sudo iptables -m limit --help
iptables v1.2.7a
[...]
limit v1.2.7a options:
--limit avg			max average match rate: default 3/hour
                                [Packets per second unless followed by 
                                /sec /minute /hour /day postfixes]
--limit-burst number		number to match in a burst, default 5

limit match is described in Linux filtering HOWTO you can read on
http://www.netfilter.org/.

By the way, limit match is aimed to match packets that are _under_ the
specified (via --limit argument) limit. If you want to match packets
over the limit, you have to modify you ruleset and introduce a user
chain dedicated to this need until ! --limit is available.

# iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
# iptables -A USER_CHAIN -p tcp --syn --dport http \ 
	-m limit --limit 4/s -j RETURN
# iptables -A USER_CHAIN -j REJECT

So you REJECT packets over 4/s limit. There's been a thread on this
topic earlier, you should search list archives.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
IT systems and networks security expert  - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to use ipt_limit.o?
  2002-12-09  9:43 ` Cedric Blancher
@ 2002-12-09  9:57   ` Peter
  2002-12-09 10:05     ` Cedric Blancher
  2002-12-09 10:29     ` Rob Sterenborg
  0 siblings, 2 replies; 7+ messages in thread
From: Peter @ 2002-12-09  9:57 UTC (permalink / raw)
  To: Cedric Blancher; +Cc: netfilter

iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
iptables v1.2.7a: Couldn't load target `USER_CHAIN':/usr/local/lib/iptables/libipt_USER_CHAIN.so: cannot open shared object file: No such file or directory
why?
----- Original Message ----- 
From: "Cedric Blancher" <blancher@cartel-securite.fr>
To: "Peter" <chenlf@cibn.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Monday, December 09, 2002 5:43 PM
Subject: Re: how to use ipt_limit.o?


> Le lun 09/12/2002 ?02:55, Peter a écrit :
> > i am using redhat73 kernel 2.4.18-18.7 
> > i want to limit number of httpd access per/client 
> > i use 
> > # insmod  ipt_limit.o
> > # iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT
> > then i get error:
> > iptables: No chain/target/match by that name
> > who can help me
> 
> Your syntax is wrong, so RTFM ;)
> 
> # iptables -m limit --help
> 
> cbr@elendil:~$ sudo iptables -m limit --help
> iptables v1.2.7a
> [...]
> limit v1.2.7a options:
> --limit avg max average match rate: default 3/hour
>                                 [Packets per second unless followed by 
>                                 /sec /minute /hour /day postfixes]
> --limit-burst number number to match in a burst, default 5
> 
> limit match is described in Linux filtering HOWTO you can read on
> http://www.netfilter.org/.
> 
> By the way, limit match is aimed to match packets that are _under_ the
> specified (via --limit argument) limit. If you want to match packets
> over the limit, you have to modify you ruleset and introduce a user
> chain dedicated to this need until ! --limit is available.
> 
> # iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
> # iptables -A USER_CHAIN -p tcp --syn --dport http \ 
> -m limit --limit 4/s -j RETURN
> # iptables -A USER_CHAIN -j REJECT
> 
> So you REJECT packets over 4/s limit. There's been a thread on this
> topic earlier, you should search list archives.
> 
> -- 
> Cédric Blancher  <blancher@cartel-securite.fr>
> IT systems and networks security expert  - Cartel Sécurit?
> Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
> PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to use ipt_limit.o?
  2002-12-09  9:57   ` Peter
@ 2002-12-09 10:05     ` Cedric Blancher
  2002-12-09 10:29     ` Rob Sterenborg
  1 sibling, 0 replies; 7+ messages in thread
From: Cedric Blancher @ 2002-12-09 10:05 UTC (permalink / raw)
  To: Peter; +Cc: netfilter

Le lun 09/12/2002 à 10:57, Peter a écrit :
> iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
> iptables v1.2.7a: Couldn't load target `USER_CHAIN':/usr/local/lib/iptables/libipt_USER_CHAIN.so: cannot open shared object file: No such file or directory
> why?

USER_CHAIN is a user chain... You have to create it before you can send
packets to it...

# iptables -N USER_CHAIN

This is basic iptables stuff, so you really should read basic iptables
documentation, as it seems quite obvious to me you did not.

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE


^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: how to use ipt_limit.o?
  2002-12-09  9:57   ` Peter
  2002-12-09 10:05     ` Cedric Blancher
@ 2002-12-09 10:29     ` Rob Sterenborg
  2002-12-10  1:53       ` Peter
  1 sibling, 1 reply; 7+ messages in thread
From: Rob Sterenborg @ 2002-12-09 10:29 UTC (permalink / raw)
  To: 'Peter', Cedric Blancher; +Cc: netfilter

> iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
> iptables v1.2.7a: Couldn't load target
> `USER_CHAIN':/usr/local/lib/iptables/libipt_USER_CHAIN.so:
> cannot open shared object file: No such file or directory
> why?

As the name implies, USER_CHAIN is a user defined chain which is not
available if you didn't define it.

iptables -N USER_CHAIN
iptables -A USER_CHAIN -j REJECT (or something more useful)
Might help.

There is a nice iptables tutorial which explains a whole lot at :
http://iptables-tutorial.frozentux.net


Rob



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to use ipt_limit.o?
  2002-12-09 10:29     ` Rob Sterenborg
@ 2002-12-10  1:53       ` Peter
  0 siblings, 0 replies; 7+ messages in thread
From: Peter @ 2002-12-10  1:53 UTC (permalink / raw)
  To: Rob Sterenborg, Cedric Blancher; +Cc: netfilter

Tks It's worked
----- Original Message ----- 
From: "Rob Sterenborg" <rsterenborg@xs4all.nl>
To: "'Peter'" <chenlf@cibn.com>; "Cedric Blancher" <blancher@cartel-securite.fr>
Cc: <netfilter@lists.netfilter.org>
Sent: Monday, December 09, 2002 6:29 PM
Subject: RE: how to use ipt_limit.o?


> > iptables -A INPUT -p tcp --syn --dport http -j USER_CHAIN
> > iptables v1.2.7a: Couldn't load target
> > `USER_CHAIN':/usr/local/lib/iptables/libipt_USER_CHAIN.so:
> > cannot open shared object file: No such file or directory
> > why?
> 
> As the name implies, USER_CHAIN is a user defined chain which is not
> available if you didn't define it.
> 
> iptables -N USER_CHAIN
> iptables -A USER_CHAIN -j REJECT (or something more useful)
> Might help.
> 
> There is a nice iptables tutorial which explains a whole lot at :
> http://iptables-tutorial.frozentux.net
> 
> 
> Rob
> 
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2002-12-10  1:53 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-12-09  1:55 how to use ipt_limit.o? Peter
2002-12-09  6:29 ` hare ram
2002-12-09  9:43 ` Cedric Blancher
2002-12-09  9:57   ` Peter
2002-12-09 10:05     ` Cedric Blancher
2002-12-09 10:29     ` Rob Sterenborg
2002-12-10  1:53       ` Peter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox