From: "Omar Garcia" <omar.garcia@fractalia.biz>
To: netfilter@lists.netfilter.org
Subject: Connlimit problems and others
Date: Thu, 10 Feb 2005 09:41:19 +0100 [thread overview]
Message-ID: <003b01c50f4c$4aecef20$910010ac@coco> (raw)
Hi list,
I have problems with connlimit module. I am trying to limit the total connections established and other limit above to p2p connections.
My machine is working as a transparent bridge with QoS as follow:
LAN ------------------------eth1[Bridge]eth0-----------------------------router -------------------------INTERNET
Kernel 2.6.8-1 with POMng , wrr and imq pathed.
The iptables and kernel modules load perfectly, or it seems.
I have HTB queue to incomming traffic from internet and an imq queue to outgoing traffic.
I HAVE A FEW QUESTIONS.
( In SHAPER-IN and SHAPER-OUT i have put a few rules for intercept the traffic)
1- Is correct to put HTB queue to outgoing traffic and an imq queue to outgoing or it´s the oppsite.??????
2- I have put to main rules to intercept the incomming and outgoing traffic.
For Incomming traffic i put in PREROUTING in mangle chain
$IPTABLES -t mangle -I PREROUTING -m physdev --physdev-in eth0 -j SHAPER-IN
For outgoing traffic i put in POSTROUTING in mangle chain
$IPTABLES -t mangle -I POSTROUTING -m physdev --physdev-out eth0 -j IMQ --todev 0
$IPTABLES -t mangle -I POSTROUTING -m physdev --physdev-out eth0 -j SHAPER-OUT
( I don´t know why i have to redirect to IMQ and SHAPER-OUT )
Is correct to put these two main rules there?????????????
3- The connlimit module doesn´t work with ipp2p module althoug this rule get correctly
$IPTABLES -I FORWARD -t mangle -p tcp -m state --state ESTABLISHED,RELATED -m connlimit --connlimit-above 100 -j DROP
I am not very happy with this rule because the machines can established a few connections more than i put.
I can see over 200 connections cross the bridge in /proc/net/ip_conntrack.
Its true that it get a moment that nobody can established a connection, but I donn´t want that, I only want to limit p2p connections and a global limit, but with a high limit to always permit normal traffic.
And this rule got me an error:
$IPTABLES -I FORWARD -t mangle -p tcp -m ipp2p --ipp2p -m connlimit --connlimit-above 100 -j DROP
( I have put other rules like this but with mark module instead connlimit, and it load correctly).
Is there someone that had configured a machine like this?
Thanks a lot, i promise to upload a How-to when i finished this long challenge.
Here are my rules, if someone wants to read them.
hain PREROUTING (policy ACCEPT)
target prot opt source destination
SHAPER-IN all -- anywhere anywhere PHYSDEV match --physdev-in eth0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere state RELATED,ESTABLISHED #conn/32 > 100
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SHAPER-OUT all -- anywhere anywhere PHYSDEV match --physdev-out eth0
IMQ all -- anywhere anywhere PHYSDEV match --physdev-out eth0 [4 bytes of unknown target data]
Chain SHAPER-IN (1 references)
target prot opt source destination
RETURN all -- 172.16.0.0/24 anywhere
MARK udp -- anywhere anywhere MARK set 0x1e
MARK udp -- anywhere anywhere MARK set 0x1e
MARK icmp -- anywhere anywhere MARK set 0x1e
MARK tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/ACK MARK set 0x1e
MARK tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/ACK length 0:128 TOS match !Normal-Service MARK set 0x1e
MARK tcp -- anywhere anywhere TOS match Minimize-Delay MARK match 0x0 MARK set 0x1e
MARK tcp -- anywhere anywhere tcp spts:ssh:telnet MARK set 0x1e
MARK tcp -- anywhere anywhere tcp dpts:ssh:telnet MARK set 0x1e
MARK tcp -- anywhere anywhere TOS match !Minimize-Delay tcp spt:ssh MARK set 0x1f
MARK tcp -- anywhere anywhere TOS match !Minimize-Delay tcp dpt:ssh MARK set 0x1f
CONNMARK tcp -- anywhere anywhere CONNMARK match 0x1f CONNMARK restore
CONNMARK tcp -- anywhere anywhere ipp2p v0.7.1 --ipp2p CONNMARK set 0x1f
CONNMARK tcp -- anywhere anywhere ipp2p v0.7.1 --ipp2p-data CONNMARK set 0x1f
MARK all -- anywhere anywhere MARK match 0x0 MARK set 0x1f
Chain SHAPER-OUT (1 references)
target prot opt source destination
RETURN all -- anywhere 172.16.0.0/24
MARK icmp -- anywhere anywhere MARK set 0x15
MARK tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/ACK MARK set 0x15
MARK tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/ACK length 0:128 TOS match !Normal-Service MARK set 0x15
MARK tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/ACK length 128:65535 MARK set 0x1d
MARK udp -- anywhere anywhere MARK set 0x18
MARK tcp -- anywhere anywhere TOS match Minimize-Delay MARK match 0x0 MARK set 0x17
MARK tcp -- anywhere anywhere tcp spts:ssh:telnet MARK set 0x16
MARK tcp -- anywhere anywhere tcp dpts:ssh:telnet MARK set 0x16
MARK tcp -- anywhere anywhere tcp spt:www MARK set 0x1a
MARK tcp -- anywhere anywhere tcp dpt:www MARK set 0x1a
MARK tcp -- anywhere anywhere tcp spt:smtp MARK set 0x1b
MARK tcp -- anywhere anywhere tcp dpt:smtp MARK set 0x1b
MARK tcp -- anywhere anywhere TOS match Maximize-Throughput MARK set 0x1c
MARK tcp -- anywhere anywhere TOS match Minimize-Cost MARK set 0x1c
CONNMARK tcp -- anywhere anywhere CONNMARK match 0x1d CONNMARK restore
CONNMARK tcp -- anywhere anywhere ipp2p v0.7.1 --ipp2p CONNMARK set 0x1d
CONNMARK tcp -- anywhere anywhere ipp2p v0.7.1 --ipp2p-data CONNMARK set 0x1d
CONNMARK udp -- anywhere anywhere CONNMARK match 0x1d CONNMARK restore
CONNMARK udp -- anywhere anywhere ipp2p v0.7.1 --ipp2p CONNMARK set 0x1d
CONNMARK udp -- anywhere anywhere ipp2p v0.7.1 --ipp2p-data CONNMARK set 0x1d
MARK tcp -- anywhere anywhere TOS match !Minimize-Delay tcp spt:ssh MARK set 0x1c
MARK tcp -- anywhere anywhere TOS match !Minimize-Delay tcp dpt:ssh MARK set 0x1c
MARK all -- anywhere anywhere MARK match 0x0 MARK set 0x1b
reply other threads:[~2005-02-10 8:41 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='003b01c50f4c$4aecef20$910010ac@coco' \
--to=omar.garcia@fractalia.biz \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.