FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS
Reload this Page centos 5.5: iptables: module recent

 
 
LinkBack Thread Tools
 
Old 01-27-2011, 01:41 PM
"Helmut Drodofsky"
 
Default centos 5.5: iptables: module recent
Hello,
Â*
I have well performing iptables in centos 5.2 and 5.3 :
-A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 25 -j LOG --log-prefix "FW DROP IP Flood: "
Â*
Centos 5.5, updated today:
Â*
Without –hitcount : Â*iptables accept the line
Including –hitcount : iptables brings an error message:
Applying iptables firewall rules: iptables-restore: line 47 failed
Â*Â*Â*Â*Â* Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*[FAILED]
The Line Number is always the number of the COMMIT statement. Not the line number of the statement with the recent module. So I think, iptables is missing something, What?
Â*
When I add the line interactive, the result is
[root@host sysconfig]# iptables -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 25 -j LOG --log-prefix "FW DROP IP Flood: "
iptables: Unknown error 18446744073709551615
Â*
The man page describes the parameter:
Â*Â*Â*Â*Â*Â* [!] --seconds seconds
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* the list and was seen within the last given number of seconds.
Â*
Â*Â*Â*Â*Â*Â* [!] --hitcount hits
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* the list and packets had been received greater than or equal to the given value. This option may be used along with --seconds to create an evenÂ* nar-
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* rower match requiring a certain number of hits within a specific time frame.
Â*
Â*
Without –hitcount the rule is worthless.
Â*
Suggestions?
Â*
Many Thanks
Helmut
Â*
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 02:32 PM
Mário Barbosa
 
Default centos 5.5: iptables: module recent
Hi,

Helmut Drodofsky wrote:
> When I add the line interactive, the result is
>
> [root@host sysconfig]# iptables -A INPUT -m state --state NEW -m recent
> --update --seconds 60 --hitcount 1000 -p tcp --dport 25 -j LOG
> --log-prefix "FW DROP IP Flood: "
>
> iptables: Unknown error 18446744073709551615

IIRC, you may be hitting a hard limit on the --hitcount value. I was
bitten by something similar a few months ago and ended up reducing both
the --hitcount and the --seconds value to achieve roughly the same "math".

HTH,
Mario
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 05:33 AM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org

Contact Us - Linux Archive - Archive - Top -