iproute2 example SYN-DOS.limit
Hi, I am trying to get the SYN-DOS.limit example (that comes with the iproute2.rpm) to work I have edited the script to have the coorect locations of the executables and chaned the INTERNETDEV to ppp0 (as I am running adsl with rp-pppoe). Kernel is SuSE k_i386 2.2.19 after the following line runs # tc qdisc add dev ppp0 handle ffff : ingress I am getting back RTNETLINK answers no such file or directory What am I missing ? -- Togan Muftuoglu
after the following line runs
# tc qdisc add dev ppp0 handle ffff : ingress
I am getting back
RTNETLINK answers no such file or directory You need netlink device support in kernel, and some other options (AFAIR there is a list of required options in the iproute2 howto ...)
hth Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
* Markus Gaugusch;
RTNETLINK answers no such file or directory
You need netlink device support in kernel, and some other options (AFAIR there is a list of required options in the iproute2 howto ...)
I have reread the ADV-Routing Howto read the iproute2 documentation but could not see the required options ( maybe I need to have my eyes examined ) This is what I have from the cat /proc/config.gz |grep NET (this is SUSE compiled kernel 2.2.19 for i386) CONFIG_NET=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NETLINK_DEV=y CONFIG_RTNETLINK=y CONFIG_NETLINK=y CONFIG_IP_FIREWALL_NETLINK=y CONFIG_NETLINK_DEV=y CONFIG_NET_IPIP=m CONFIG_NET_IPGRE=m CONFIG_NET_SCHED=y CONFIG_NETLINK=y CONFIG_RTNETLINK=y CONFIG_NET_SCH_CBQ=m CONFIG_NET_SCH_CSZ=m CONFIG_NET_SCH_PRIO=m CONFIG_NET_SCH_RED=m CONFIG_NET_SCH_SFQ=m CONFIG_NET_SCH_TEQL=m CONFIG_NET_SCH_TBF=m CONFIG_NET_QOS=y CONFIG_NET_ESTIMATOR=y CONFIG_NET_CLS=y CONFIG_NET_CLS_ROUTE4=m CONFIG_NET_CLS_ROUTE=y CONFIG_NET_CLS_FW=m CONFIG_NET_CLS_U32=m CONFIG_NET_CLS_RSVP=m CONFIG_NET_CLS_RSVP6=m CONFIG_NET_CLS_POLICE=y I have loaded the modules sch_* and cls_* and this is the script #! /bin/sh -x # # sample script on using the ingress capabilities # this script shows how one can rate limit incoming SYNs # Useful for TCP-SYN attack protection. You can use # IPchains to have more powerful additions to the SYN (eg # in addition the subnet) # #path to various utilities; #change to reflect yours. # IPROUTE=/usr/sbin TC=$IPROUTE/tc IP=$IPROUTE/ip IPCHAINS=/sbin/ipchains INDEV=ppp0 # # tag all incoming SYN packets through $INDEV as mark value 1 # ipchains complain so added -p tcp (togan) ############################################################ $IPCHAINS -A input -i $INDEV -y -m 1 ############################################################ # # install the ingress qdisc on the ingress interface ############################################################ $TC qdisc add dev $INDEV handle ffff: ingress ############################################################ # # # SYN packets are 40 bytes (320 bits) so three SYNs equals # 960 bits (approximately 1kbit); so we rate limit below # the incoming SYNs to 3/sec (not very sueful really; but #serves to show the point - JHS ############################################################ $TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \ police rate 1kbit burst 40 mtu 9k drop flowid :1 ############################################################ # echo "---- qdisc parameters Ingress ----------" $TC qdisc ls dev $INDEV echo "---- Class parameters Ingress ----------" $TC class ls dev $INDEV echo "---- filter parameters Ingress ----------" $TC filter ls dev $INDEV parent ffff: #deleting the ingress qdisc #$TC qdisc del $INDEV ingress -- Togan Muftuoglu
Well I have found an answer which does not make me happy apparently ingress fails with 2.2.19 SuSE kernel however the example works ok with 2.4.4 SuSE kernel on my laptop. So is there a way to imply the SYN-DOS protection either with this script or by another way using 2.2.19 SuSE Kernel with ipchains ?
# install the ingress qdisc on the ingress interface ############################################################ $TC qdisc add dev $INDEV handle ffff: ingress ############################################################
-- Togan Muftuoglu
participants (2)
-
Markus Gaugusch
-
Togan Muftuoglu