Limiting Port 80 Connectins Centos

KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Limiting Port 80 Connectins Centos

Unread post by KrazyBob »

My servers are suddenly getting hammered on port 80. I have tried numerous iptable strings and all return the following and I don't know what it is telling me:

Code: Select all

[root@server101 ~]# iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 5 --connlimit-mask 0 -j REJECT

iptables: No chain/target/match by that name

[root@server101 ~]# iptables -nL
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x16/0x02 reject-with tcp-reset 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8443 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8880 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:25 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:465 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:110 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:995 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:143 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:993 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:106 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3306 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:5432 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9008 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:9080 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 code 0 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x16/0x02 reject-with tcp-reset 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x16/0x02 reject-with tcp-reset 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Limiting Port 80 Connectins Centos

Unread post by faris »

Virtuozzo can be the problem if you don't have the required modules enabled in the container.
But usually you get a different error (except when trying to use the nat table which really does not exist) so I don't think that's the problem here.

Anyway, I tried it on a Centos 6 VZ container it worked fine (copy and pasting your command) so the syntax is essentially correct, even if it might not do exactly what you want. More options here http://www.cyberciti.biz/faq/iptables-c ... its-howto/

I note that -A is append, which puts it at the bottom of the chain. -I might be better? I don't know where it needs to go to be effective, unfortunately.

Anyway, Scott and Mike are the firewall gurus. They will tell us what's going on and what to do, I'm sure.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply