Hello,
I have well performing iptables in centos 5.2 and 5.3 : -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 25 -j LOG --log-prefix "FW DROP IP Flood: "
Centos 5.5, updated today:
Without -hitcount : iptables accept the line Including -hitcount : iptables brings an error message: Applying iptables firewall rules: iptables-restore: line 47 failed [FAILED] The Line Number is always the number of the COMMIT statement. Not the line number of the statement with the recent module. So I think, iptables is missing something, What?
When I add the line interactive, the result is [root@host sysconfig]# iptables -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 25 -j LOG --log-prefix "FW DROP IP Flood: " iptables: Unknown error 18446744073709551615
The man page describes the parameter: [!] --seconds seconds This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds.
[!] --hitcount hits This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with --seconds to create an even nar- rower match requiring a certain number of hits within a specific time frame.
Without -hitcount the rule is worthless.
Suggestions?
Many Thanks Helmut
Hi,
Helmut Drodofsky wrote:
When I add the line interactive, the result is
[root@host sysconfig]# iptables -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 25 -j LOG --log-prefix "FW DROP IP Flood: "
iptables: Unknown error 18446744073709551615
IIRC, you may be hitting a hard limit on the --hitcount value. I was bitten by something similar a few months ago and ended up reducing both the --hitcount and the --seconds value to achieve roughly the same "math".
HTH, Mario
Helmut Drodofsky wrote on Thu, 27 Jan 2011 15:41:15 +0100:
The man page describes the parameter
well, did you google before asking? I'm pretty sure that this topic has already been raised here (and probably elsewhere) a few times and as far as I recall it there must be a bug. I don't know if it is on the RH bugzilla.
Kai
The discussion and bug fix is from autumn 2009. May I hope, it's included in the actual kernel?
Helmut
-----Ursprüngliche Nachricht----- Von: centos-bounces@centos.org [mailto:centos-bounces@centos.org] Im Auftrag von Kai Schaetzl Gesendet: Donnerstag, 27. Januar 2011 17:01 An: centos@centos.org Betreff: Re: [CentOS] centos 5.5: iptables: module recent
Helmut Drodofsky wrote on Thu, 27 Jan 2011 15:41:15 +0100:
The man page describes the parameter
well, did you google before asking? I'm pretty sure that this topic has already been raised here (and probably elsewhere) a few times and as far as I recall it there must be a bug. I don't know if it is on the RH bugzilla.
Kai
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Why not give the link to the bugzilla report? I'm sure I read postings about problems with the recent module still in 2010.
Kai
-
Helmut Drodofsky -
Kai Schaetzl -
Mário Barbosa