Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


No chain/target/match / xt_state?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

No chain/target/match / xt_state?

NexusNexus Member
edited September 2012 in General

Hey, I am trying to run the following code: (Debian 6, 32 bit) OPENVZ.

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name DDOS

But I receive..

iptables: No chain/target/match by that name.

Which I found out that the xt_state module needs to be enabled on the node? So my host enabled it for me :)

But I am trying to run this basic firewall:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name DDOS

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 4 --hitcount 20 --rttl --name DDOS -j DROP

And I still receive the error:
iptables: No chain/target/match by that name.

I know this isn't fully blown ddos protection... But it will deter small script kiddies. Can someone chime in and see why it's doing this? Thank you,

Edit: Is that hitcount, HTTP Requests, or just connections?

also getting this? wtf

iptables -I INPUT -p tcp --dport 22 -i eth0 -m --state NEW -m recent --set

iptables v1.4.8: Couldn't load match `--state':/lib/xtables/libipt_--state.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

Comments

  • marrcomarrco Member
    edited September 2012

    cat /proc/net/ip_tables_matches and verify that the recent module is present

    by the way, what's the name of your provider? Some (OVH on their geovks) won't enable the module on the node for you.

    if you're using nginx you can do some magic there too:

    # Limit connections to 8 per IP
    limit_zone evasive $binary_remote_addr 4m;
    limit_conn evasive 8;
    
    # Limit rate to 128 KB/s after 5 minutes
    limit_rate_after 5m;
    limit_rate 128k;
    
  • mark

    mark
    owner
    limit
    owner
    length
    ttl
    tcpmss
    multiport
    multiport
    tos
    tos
    dscp
    icmp
    state
    udplite
    udp
    tcp

    It looks like state is there? Shouldn't it be xt_state?

  • MelitaMelita Member, Host Rep
    edited September 2012

    Ask your provider to load ipt_recent or xt_recent for security reasons. If they don't want, use -m limit as alternative.

    Lets just do some simple test. Does something like this work? iptables -A INPUT -m state --state NEW -j ACCEPT

    If its working, your error is caused by something else.

  • Yes that command works fine. Hmm, i'll ask them >_<.

  • MaouniqueMaounique Host Rep, Veteran

    recent is not present...
    M

  • Yea it doesn't do much good if they are sending high PPS to the router of your provider.

  • MaouniqueMaounique Host Rep, Veteran

    @Corey said: Yea it doesn't do much good if they are sending high PPS to the router of your provider.

    I think he knows that, in another thread said he only wants to limit get/post commands to the webserver, not really block packet storms.
    M

Sign In or Register to comment.