No chain/target/match / xt_state?

Nexus

Hey, I am trying to run the following code: (Debian 6, 32 bit) OPENVZ.

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name DDOS

But I receive..

iptables: No chain/target/match by that name.

Which I found out that the xt_state module needs to be enabled on the node? So my host enabled it for me :)

But I am trying to run this basic firewall:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name DDOS iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 4 --hitcount 20 --rttl --name DDOS -j DROP

And I still receive the error: iptables: No chain/target/match by that name.

I know this isn't fully blown ddos protection... But it will deter small script kiddies. Can someone chime in and see why it's doing this? Thank you,

Edit: Is that hitcount, HTTP Requests, or just connections?

also getting this? wtf

iptables -I INPUT -p tcp --dport 22 -i eth0 -m --state NEW -m recent --set iptables v1.4.8: Couldn't load match `--state':/lib/xtables/libipt_--state.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

marrco

cat /proc/net/ip_tables_matches and verify that the recent module is present

by the way, what's the name of your provider? Some (OVH on their geovks) won't enable the module on the node for you.

if you're using nginx you can do some magic there too:

# Limit connections to 8 per IP
limit_zone evasive $binary_remote_addr 4m;
limit_conn evasive 8;

# Limit rate to 128 KB/s after 5 minutes
limit_rate_after 5m;
limit_rate 128k;

Nexus

mark mark owner limit owner length ttl tcpmss multiport multiport tos tos dscp icmp state udplite udp tcp

It looks like state is there? Shouldn't it be xt_state?

Melita

Ask your provider to load ipt_recent or xt_recent for security reasons. If they don't want, use -m limit as alternative.

Lets just do some simple test. Does something like this work? iptables -A INPUT -m state --state NEW -j ACCEPT

If its working, your error is caused by something else.

Nexus

Yes that command works fine. Hmm, i'll ask them >_<.

Maounique

recent is not present... M

Corey

Yea it doesn't do much good if they are sending high PPS to the router of your provider.

Maounique

@Corey said: Yea it doesn't do much good if they are sending high PPS to the router of your provider.

I think he knows that, in another thread said he only wants to limit get/post commands to the webserver, not really block packet storms. M