[CentOS] iptables: hitcount
Leonard den Ottolander
leonard at den.ottolander.nl
Mon Jun 11 14:36:43 UTC 2012
Hello Helmut,
On Mon, 2012-06-11 at 11:54 +0200, Helmut Drodofsky wrote:
> up to CentOS 5.3 it was possible, to control new ip connections by
> "recent", "seconds" and "hitcount"
>
> -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80
> -A INPUT -m state --state NEW -m recent --update --seconds 60
> --hitcount
> 1000 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: "
> -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent
> --update --seconds 60 --hitcount 1000 -j DROP
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
> hitcount does not accept values of 25 or above:
20* on CentOS-5 afaict.
> [root at server ~]# iptables -A INPUT -m state --state NEW -m recent --set
> -p tcp --dport 80
> [root at server~]# iptables -A INPUT -m state --state NEW -m recent
> --update --seconds 1 --hitcount 25 -p tcp --dport 80 -j LOG --log-prefix
> "FW DROP IP Flood: "
> iptables: Unknown error 4294967295
I suggest you take this upstream. Apparently there are quite a few
issues between the various kernel and iptables verions and also the
different architectures.
https://bugzilla.redhat.com/show_bug.cgi?id=639026 seems to be the issue
you are experiencing.
(Note that 4294967295 = 2^32-1 and 18446744073709551615 = 2^64-1, which
makes me believe the reporter of the above bug runs on x86_64 and you're
probably running a 32 bit system. These things should be mentioned when
you report bugs as well as the CentOS and package versions you are
conducting your tests on/with.)
Try to google for
site:bugzilla.redhat.com iptables: Unknown error 4294967295
and
site:bugzilla.redhat.com iptables: Unknown error 18446744073709551615
for more related bugzilla entries.
Regards,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
More information about the CentOS
mailing list