Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


iptables connlimit on CentOS 5 with 2.6.32-042 kernel?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

iptables connlimit on CentOS 5 with 2.6.32-042 kernel?

postcdpostcd Member
edited March 2017 in Help

How it is possible to make iptables connlimit working on an outdated CentOS 5.9 64bit running on kernel 2.6.32-042 (OpenVZ)? (without doing anything with kernel)

Kernel modules are loaded on the host server already

$ lsmod|grep connl

xt_connlimit 3254 3

nf_conntrack 80313 14

and connlimit working on Centos6, not on Centos5 (showing: [Error: iptables: Unknown error 18446744073709551615] - Required for CONNLIMIT feature)

Installed Packages: iptables.x86_64 1.3.5-9.2.el5_8

My aim is to limit number of connections an IP can do on post 80

I see that in iptables is something like that already (added by CSF):

tcp -- anywhere anywhere tcp dpt:http state NEW recent: SET name: 80 side: source

PORTFLOOD tcp -- anywhere anywhere tcp dpt:http state NEW recent: UPDATE seconds: 5 hit_count: 20 name: 80 side: source

Interesting reading: http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-connlimit

Comments

  • postcdpostcd Member
    edited March 2017

    @rds100 said:
    The connlimit implementation changed between the 2.6.18 kernels and 2.6.32 kernels. The data format used to communicate between the userland (iptables) and the kernel is incompatible between the two.
    So 2.6.18 userland (iptables) cannot talk with the 2.6.32 xt_connlimit kernel module.
    Install CentOS 6 on the VPS and connlimit will probably work.

    source: https://lowendtalk.com/discussion/8029/xt-connlimit-issue

    How can i work around that on the Centos5?

  • AnthonySmithAnthonySmith Member, Patron Provider

    You can do that with iptables however I suspect your reason for wanting to do that may be even more bizarre than the reason you are using an OS version that is horribly insecure and went end of life a while ago and who's major version goes EOL in about 3 weeks.

    Thanked by 1Maounique
Sign In or Register to comment.