[Users] Hardware node - Iptables firewall with ipset

Sergej Kandyla sk.paix at gmail.com
Tue Mar 24 09:09:52 EDT 2009


Martin Wheldon пишет:
> Hi Folks,
>
> I've spent quite sometime googling but am unable to answer the
> following question.
>
> Are there any problems with running a IPtables firewall using ipset
> functionality on the hardware node?
>   
Did you look at nfqueue ?

Afaik ipset is not really stable, also it require patching a 
kernel...This is a big reason to not use ipset module.

Also does anyone know about some analogs of connlimit module ? Which 
also absent in the default RHEL kernel...

centos5.2 box # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit 
--connlimit-above 15 -j REJECT
iptables: Unknown error 4294967295

The idea is to limit established connections for every unique ip. This 
very helpful on the high-loaded web servers.


> I already know that these modules haven't been virtualized, but I
> don't delieve this should matter for the
> hardware node, please correct me if this assumption is incorrect.
> Obviously I will need to build my own
> kernel as the ipset patches are not applied to the stock OpenVZ kernels.
>
> Is anyone out there doing this? if so could you please pass on your
> experiences.
>
> Best Regards
>
> Martin
>   



More information about the Users mailing list