[Users] Hardware node - Iptables firewall with ipset
Sergej Kandyla
sk.paix at gmail.com
Tue Mar 24 09:09:52 EDT 2009
Martin Wheldon пишет:
> Hi Folks,
>
> I've spent quite sometime googling but am unable to answer the
> following question.
>
> Are there any problems with running a IPtables firewall using ipset
> functionality on the hardware node?
>
Did you look at nfqueue ?
Afaik ipset is not really stable, also it require patching a
kernel...This is a big reason to not use ipset module.
Also does anyone know about some analogs of connlimit module ? Which
also absent in the default RHEL kernel...
centos5.2 box # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit
--connlimit-above 15 -j REJECT
iptables: Unknown error 4294967295
The idea is to limit established connections for every unique ip. This
very helpful on the high-loaded web servers.
> I already know that these modules haven't been virtualized, but I
> don't delieve this should matter for the
> hardware node, please correct me if this assumption is incorrect.
> Obviously I will need to build my own
> kernel as the ipset patches are not applied to the stock OpenVZ kernels.
>
> Is anyone out there doing this? if so could you please pass on your
> experiences.
>
> Best Regards
>
> Martin
>
More information about the Users
mailing list