FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-27-2011, 01:41 PM
"Helmut Drodofsky"
 
Default centos 5.5: iptables: module recent

Hello,
*
I have well performing iptables in centos 5.2 and 5.3 :
-A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 25 -j LOG --log-prefix "FW DROP IP Flood: "
*
Centos 5.5, updated today:
*
Without –hitcount : *iptables accept the line
Including –hitcount : iptables brings an error message:
Applying iptables firewall rules: iptables-restore: line 47 failed
***** ************************* *******************[FAILED]
The Line Number is always the number of the COMMIT statement. Not the line number of the statement with the recent module. So I think, iptables is missing something, What?
*
When I add the line interactive, the result is
[root@host sysconfig]# iptables -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 25 -j LOG --log-prefix "FW DROP IP Flood: "
iptables: Unknown error 18446744073709551615
*
The man page describes the parameter:
****** [!] --seconds seconds
************* This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in
************* the list and was seen within the last given number of seconds.
*
****** [!] --hitcount hits
************* This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in
************* the list and packets had been received greater than or equal to the given value. This option may be used along with --seconds to create an even* nar-
************* rower match requiring a certain number of hits within a specific time frame.
*
*
Without –hitcount the rule is worthless.
*
Suggestions?
*
Many Thanks
Helmut
*
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 02:32 PM
Mrio Barbosa
 
Default centos 5.5: iptables: module recent

Hi,

Helmut Drodofsky wrote:
> When I add the line interactive, the result is
>
> [root@host sysconfig]# iptables -A INPUT -m state --state NEW -m recent
> --update --seconds 60 --hitcount 1000 -p tcp --dport 25 -j LOG
> --log-prefix "FW DROP IP Flood: "
>
> iptables: Unknown error 18446744073709551615

IIRC, you may be hitting a hard limit on the --hitcount value. I was
bitten by something similar a few months ago and ended up reducing both
the --hitcount and the --seconds value to achieve roughly the same "math".

HTH,
Mario
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 11:32 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org