Saturday, April 25, 2009

recent/hitcount broken in Lenny?

Hello,

I used to rate limit the number of incoming HTTP connections in Etch,
using these iptables statements:

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --set --name HTTP

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --update --seconds 2 --hitcount 50 --name HTTP -j LOG
--log-prefix "HTTP_DoS "

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --update --seconds 2 --hitcount 50 --name HTTP -j DROP

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT


The second statement gives this in Lenny:

iptables: Invalid argument


The only way to get iptables to accept this statement is to remove the
hitcount. This works just fine:

# iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m
recent --update --seconds 2 --name HTTP -j LOG --log-prefix "HTTP_DoS "

but it does not do what I need.


Any idea?

Regards,

Guillaume Tamboise


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment