Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

No chain/target/match / xt_state?

No chain/target/match / xt_state?

NexusNexus Member
edited September 2012 in General

Hey, I am trying to run the following code: (Debian 6, 32 bit) OPENVZ.

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name DDOS

But I receive..

iptables: No chain/target/match by that name.

Which I found out that the xt_state module needs to be enabled on the node? So my host enabled it for me :)

But I am trying to run this basic firewall:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name DDOS iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 4 --hitcount 20 --rttl --name DDOS -j DROP

And I still receive the error: iptables: No chain/target/match by that name.

I know this isn't fully blown ddos protection... But it will deter small script kiddies. Can someone chime in and see why it's doing this? Thank you,

Edit: Is that hitcount, HTTP Requests, or just connections?

also getting this? wtf

iptables -I INPUT -p tcp --dport 22 -i eth0 -m --state NEW -m recent --set iptables v1.4.8: Couldn't load match `--state':/lib/xtables/libipt_--state.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

D4jsp - Where virgins roam free

Comments

  • marrcomarrco Member
    edited September 2012

    cat /proc/net/ip_tables_matches and verify that the recent module is present

    by the way, what's the name of your provider? Some (OVH on their geovks) won't enable the module on the node for you.

    if you're using nginx you can do some magic there too:

    # Limit connections to 8 per IP
    limit_zone evasive $binary_remote_addr 4m;
    limit_conn evasive 8;
    
    # Limit rate to 128 KB/s after 5 minutes
    limit_rate_after 5m;
    limit_rate 128k;
    
  • mark mark owner limit owner length ttl tcpmss multiport multiport tos tos dscp icmp state udplite udp tcp

    It looks like state is there? Shouldn't it be xt_state?

    D4jsp - Where virgins roam free
  • MelitaMelita Member
    edited September 2012

    Ask your provider to load ipt_recent or xt_recent for security reasons. If they don't want, use -m limit as alternative.

    Lets just do some simple test. Does something like this work? iptables -A INPUT -m state --state NEW -j ACCEPT

    If its working, your error is caused by something else.

  • Yes that command works fine. Hmm, i'll ask them >_<.

    D4jsp - Where virgins roam free
  • recent is not present... M

    Who's General Failure, and why is he reading my drive A: ?

  • Yea it doesn't do much good if they are sending high PPS to the router of your provider.

    BitAccel - OpenVZ VPS / IRC,VPN,Anything Legal & Unrivaled Support!
  • @Corey said: Yea it doesn't do much good if they are sending high PPS to the router of your provider.

    I think he knows that, in another thread said he only wants to limit get/post commands to the webserver, not really block packet storms. M

    Who's General Failure, and why is he reading my drive A: ?

Sign In or Register to comment.