Opened 3 years ago
Closed 3 years ago
#1462 closed (fixed)
iptables limit module request
| Reported by: | Masterman | Owned by: | somebody |
|---|---|---|---|
| Keywords: | Cc: |
Description
Hi,
There are some major security concerns regarding Proftpd (as well as other WAN accessible ports) and hacker/bot hammering. If you have the time to compile an ipt_limit.ko module for Kernel 2.6.24.111 to allow for the use of the limit parameter, I, and many others, would greatly appreciate it!
Thanks,
Masterman
Change History (10)
comment:1 Changed 3 years ago by BrainSlayer
- Resolution set to invalid
- Status changed from new to closed
comment:2 Changed 3 years ago by Masterman
- Resolution invalid deleted
- Status changed from closed to reopened
Hi,
Thanks for the reply.
What build changeset did this occur in? I'm running 14144 mega, and the module is not present:
# ls -l /lib/modules/2.6.24.111/kernel/net/netfilter
total 65
-rw-r--r-- 1 root root 42508 Jan 2 12:29 nf_conntrack_h323.ko
-rw-r--r-- 1 root root 7700 Jan 2 12:29 nf_conntrack_pptp.ko
-rw-r--r-- 1 root root 6100 Jan 2 12:29 nf_conntrack_proto_gre.ko
-rw-r--r-- 1 root root 2952 Jan 2 12:29 xt_connmark.ko
-rw-r--r-- 1 root root 2672 Jan 2 12:29 xt_mac.ko
-rw-r--r-- 1 root root 2476 Jan 2 12:29 xt_mark.ko
# iptables -I INPUT 2 -p tcp -i $wanf --dport 21 -m state --state NEW -m limit --limit 3/min -j
# echo $? 255
Here is my rc_firewall, and the logs indicate that the limit rule is not functioning:
wanf=nvram get wan_iface
iptables -I INPUT 2 -p tcp -i $wanf --dport 21 -j logdrop
iptables -I INPUT 2 -p tcp -i $wanf --dport 21 -m state --state NEW -m limit --limit 3/min -j logaccept
iptables -I INPUT 2 -p tcp -i $wanf -j asia
iptables -I FORWARD 1 -i $wanf -p tcp --dport 20:1024 -j asia
iptables -D FORWARD iptables --line-numbers -nL FORWARD | grep ESTABLISHED | tail -n1 | awk '{print $1}'
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Please re-review this problem as many users are wanting it fixed.
Thanks again,
Masterman
comment:3 Changed 3 years ago by Masterman
Also, there is an ebt_limit.ko, but no ipt_limit.ko:
root@Asus:/lib/modules/2.6.24.111/kernel/net/bridge/netfilter# ls
ebt_802_3.ko ebt_arpnat.ko ebt_ip.ko ebt_mark_m.ko ebt_snat.ko ebtable_broute.ko ebtables.ko ebt_among.ko ebt_arpreply.ko ebt_limit.ko ebt_pkttype.ko ebt_stp.ko ebtable_filter.ko ebt_arp.ko ebt_dnat.ko ebt_mark.ko ebt_redirect.ko ebt_vlan.ko ebtable_nat.ko root@Asus:/lib/modules/2.6.24.111/kernel/net/bridge/netfilter#
comment:4 Changed 3 years ago by BrainSlayer
you should maybe tell first that you're talking about the broadcom build. the module is also not named ipt_limit. its xt_limit
comment:5 Changed 3 years ago by BrainSlayer
- Resolution set to fixed
- Status changed from reopened to closed
comment:6 Changed 3 years ago by BrainSlayer
by the way. it affects only the 2.6 kernel, but not 2.4 broadcom builds. its fixed now
comment:7 Changed 3 years ago by Masterman
Thanks Brainslayer. Sorry if I didn't include the necessary information regarding the kernel change difference between ipt_limit and xt_limit..
Once again, many thanks,
Masterman
comment:8 Changed 3 years ago by Masterman
One small favor Brainslayer, if it's not too much to ask. I realize you are incorporating this into the next build, but could you upload the module to the DD-WRT FTP database please? If not my email is lmacdowe@…
It's not listed in here:
Thanks man, much appreciated,
Masterman
comment:9 Changed 3 years ago by Masterman
- Resolution fixed deleted
- Status changed from closed to reopened
comment:10 Changed 3 years ago by Sash
- Resolution set to fixed
- Status changed from reopened to closed
this is already compiled into the kernel. no module required