All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
No chain/target/match / xt_state?
Hey, I am trying to run the following code: (Debian 6, 32 bit) OPENVZ.
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name DDOS
But I receive..
iptables: No chain/target/match by that name.
Which I found out that the xt_state module needs to be enabled on the node? So my host enabled it for me
But I am trying to run this basic firewall:
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name DDOS
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 4 --hitcount 20 --rttl --name DDOS -j DROP
And I still receive the error:
iptables: No chain/target/match by that name.
I know this isn't fully blown ddos protection... But it will deter small script kiddies. Can someone chime in and see why it's doing this? Thank you,
Edit: Is that hitcount, HTTP Requests, or just connections?
also getting this? wtf
iptables -I INPUT -p tcp --dport 22 -i eth0 -m --state NEW -m recent --set
iptables v1.4.8: Couldn't load match `--state':/lib/xtables/libipt_--state.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
Comments
cat /proc/net/ip_tables_matches
and verify that the recent module is presentby the way, what's the name of your provider? Some (OVH on their geovks) won't enable the module on the node for you.
if you're using nginx you can do some magic there too:
mark
owner
limit
owner
length
ttl
tcpmss
multiport
multiport
tos
tos
dscp
icmp
state
udplite
udp
tcp
It looks like state is there? Shouldn't it be xt_state?
Ask your provider to load ipt_recent or xt_recent for security reasons. If they don't want, use -m limit as alternative.
Lets just do some simple test. Does something like this work? iptables -A INPUT -m state --state NEW -j ACCEPT
If its working, your error is caused by something else.
Yes that command works fine. Hmm, i'll ask them >_<.
recent is not present...
M
Yea it doesn't do much good if they are sending high PPS to the router of your provider.
I think he knows that, in another thread said he only wants to limit get/post commands to the webserver, not really block packet storms.
M