[CentOS] iptables connlimit

Sun Jun 29 07:19:10 UTC 2008
Peter Riley <Peter.Riley at hotpop.com>

noro wrote:
> hi,
> 
> i try use iptables connlimit,
> 
> # iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 16
> --connlimit-mask 24 -j DROP
> iptables: Unknown error 4294967295
> 
> where is problem ?
> thanks
> 
> 
> # rpm -qa | grep iptables
> iptables-1.3.5-4.el5
> 
> # uname -a
> Linux test 2.6.18-92.1.1.el5 #1 SMP Sat Jun 21 19:04:27 EDT 2008 i686
> i686 i386 GNU/Linux
> 

Hi. The problem isn't yours alone. Despite the man page, there is no
support for the iptables connlimit match in CentOS 5 nor any previous
version.

The real issue is that, due to the way RH builds iptables(*), there
have been longstanding disparities(**) between the iptables userspace
tool and the kernel. For example, in Fedora 6/RHEL 5/CentOS 5, although
there is an iptables module in /lib/iptables/libipt_connlimit.so which
supports the connlimit match in iptables, there is no corresponding
netfilter module in /lib/modules/(version)/kernel/net/ipv4/netfilter/
to handle it in the kernel.  Fedora 3/RHEL 4/CentOS 4 have the same
problem.  Other disparities exist as well.

Anyway, since there is no stock kernel support for connlimit, the
iptables module included in these distros is rather useless to you. :(

The kernel module is not included in the centosplus kernel either, so
if you really must have connlimit working on CentOS 5 there are three
options:

1. Upgrade your kernel to a newer version.

   The connlimit module finally went into mainline at kernel v2.6.23.
   http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23

   IIRC, Fedora 7 doesn't support connlimit in the kernel either,
   but Fedora 8 and 9 do.

2. Patch it and maintain your own build.

   See http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-connlimit

3. Find a pre-built module maintained elsewhere.

   I only know of one repository for RHEL4:
   http://ftp.pslib.cz/pub/users/Milan.Kerslager/RHEL-4/stable/


Please note that the CentOS team won't support non-stock kernels.


Sorry for the bad news and the long message with irrelevant details
(they're for the list archive and googlers).


Best Regards,
PWR


(*)  https://bugzilla.redhat.com/show_bug.cgi?id=191331#c8

(**) Some more examples:
     https://bugzilla.redhat.com/show_bug.cgi?id=253014
     http://linuxczar.net/wordpress/archives/67