bugzilla-daemon at bugzilla.netfilter.org
2009-Sep-24 07:21 UTC
[Bug 610] New: conntrack doesn't work
http://bugzilla.netfilter.org/show_bug.cgi?id=610
Summary: conntrack doesn't work
Product: netfilter/iptables
Version: linux-2.6.x
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P1
Component: unknown
AssignedTo: laforge at netfilter.org
ReportedBy: urykhy at gmail.com
i need to limit number of simultaneous connections to httpd:
on server:
iptables -A INPUT -p tcp -m connlimit --connlimit-above 5 --dport 80 -j DROP
(there is onle one rule in firewall )
on client i run slowloris..
on the server under attack
netstat -nta | grep :80 | grep ESTABLISHED | wc -l
180
as i understand 'iptables -L -n -v' - my rule never hits,
existing behavior:
on server under attack a lot of simultaneous connection from single ip.
expected behavior:
server should have only 5 connections
i miss something ?
ps:
debian linux 2.6.30-2, iptables 1.4.4-2
slowloris - http://ha.ckers.org/slowloris/
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Nov-01 01:09 UTC
[Bug 610] conntrack doesn't work
http://bugzilla.netfilter.org/show_bug.cgi?id=610
jengelh at medozas.de changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|laforge at netfilter.org |pablo at netfilter.org
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Nov-04 12:22 UTC
[Bug 610] conntrack doesn't work
http://bugzilla.netfilter.org/show_bug.cgi?id=610
kaber at trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
------- Comment #1 from kaber at trash.net 2009-11-04 13:22 -------
Doesn't work for me either. Jan?
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Nov-04 12:22 UTC
[Bug 610] conntrack doesn't work
http://bugzilla.netfilter.org/show_bug.cgi?id=610
kaber at trash.net changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|pablo at netfilter.org |jengelh at medozas.de
Status|ASSIGNED |NEW
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.
Reasonably Related Threads
- [Bug 713] New: CPPFLAGS are mishandled which breaks non-shared targets
- [Bug 597] New: ip6tables connlimit - cannot set CIDR greater than 32 (includes fix)
- [Bug 718] New: New bugzilla account has no permissions to create bug for conntrack-tools
- [Bug 738] New: reading beyond buffer limits in nf_conntrack_proto_tcp.c::tcp_options()
- [Bug 612] New: conntrack returns src, dst, dport and sport all zeroed