All of lore.kernel.org
 help / color / mirror / Atom feed
* Connlimit problems and others
@ 2005-02-10  8:41 Omar Garcia
  0 siblings, 0 replies; only message in thread
From: Omar Garcia @ 2005-02-10  8:41 UTC (permalink / raw)
  To: netfilter

Hi list,

I have problems with connlimit module. I am trying to limit the total connections established and other limit above to p2p connections.
My machine is working as a transparent bridge with QoS as follow:


                LAN ------------------------eth1[Bridge]eth0-----------------------------router -------------------------INTERNET

Kernel 2.6.8-1 with POMng , wrr and imq pathed. 
The iptables and kernel modules load perfectly, or it seems.
I have HTB queue to incomming traffic from internet and an imq queue to outgoing traffic.

I HAVE A FEW QUESTIONS.
    ( In SHAPER-IN and SHAPER-OUT i have put a few rules for intercept the traffic)

    1- Is correct to put HTB queue to outgoing traffic and an imq queue to outgoing or it´s the oppsite.??????
    
    2- I have put to main rules to intercept the incomming and outgoing traffic.
               For Incomming traffic i put in PREROUTING in mangle chain
                $IPTABLES -t mangle -I PREROUTING -m physdev --physdev-in eth0 -j SHAPER-IN 
        
                For outgoing traffic i put in POSTROUTING in mangle chain
                $IPTABLES -t mangle -I POSTROUTING  -m physdev --physdev-out eth0 -j IMQ --todev 0
                $IPTABLES -t mangle -I POSTROUTING -m physdev --physdev-out eth0 -j SHAPER-OUT

                ( I don´t know why i have to redirect to IMQ and SHAPER-OUT )

        Is correct to put these two main rules there?????????????


    3- The connlimit module doesn´t work with ipp2p module althoug this rule get correctly
        $IPTABLES -I FORWARD -t mangle -p tcp -m state --state ESTABLISHED,RELATED -m connlimit --connlimit-above 100 -j DROP

        I am not very happy with this rule because the machines can established a few connections more than i put. 
        I can see over 200 connections cross the bridge in /proc/net/ip_conntrack. 
        Its true that it get a moment that nobody can established a connection, but I donn´t want that, I only want to limit p2p connections and a global limit, but with a high limit to always permit normal traffic.

        And this rule got me an error:

        $IPTABLES -I FORWARD -t mangle -p tcp -m ipp2p --ipp2p -m connlimit --connlimit-above 100 -j DROP
        ( I have put other rules like this but with mark module instead connlimit, and it load correctly).

        Is there someone that had configured a machine like this?
    


    Thanks a lot, i promise to upload a How-to when i finished this long challenge.
    Here are my rules, if someone wants to read them.


      
hain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
SHAPER-IN  all  --  anywhere             anywhere            PHYSDEV match --physdev-in eth0 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED #conn/32 > 100 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SHAPER-OUT  all  --  anywhere             anywhere            PHYSDEV match --physdev-out eth0 
IMQ        all  --  anywhere             anywhere            PHYSDEV match --physdev-out eth0 [4 bytes of unknown target data] 

Chain SHAPER-IN (1 references)
target     prot opt source               destination         
RETURN     all  --  172.16.0.0/24        anywhere            
MARK       udp  --  anywhere             anywhere            MARK set 0x1e 
MARK       udp  --  anywhere             anywhere            MARK set 0x1e 
MARK       icmp --  anywhere             anywhere            MARK set 0x1e 
MARK       tcp  --  anywhere             anywhere            tcp flags:!SYN,RST,ACK/ACK MARK set 0x1e 
MARK       tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/ACK length 0:128 TOS match !Normal-Service MARK set 0x1e 
MARK       tcp  --  anywhere             anywhere            TOS match Minimize-Delay MARK match 0x0 MARK set 0x1e 
MARK       tcp  --  anywhere             anywhere            tcp spts:ssh:telnet MARK set 0x1e 
MARK       tcp  --  anywhere             anywhere            tcp dpts:ssh:telnet MARK set 0x1e 
MARK       tcp  --  anywhere             anywhere            TOS match !Minimize-Delay tcp spt:ssh MARK set 0x1f 
MARK       tcp  --  anywhere             anywhere            TOS match !Minimize-Delay tcp dpt:ssh MARK set 0x1f 
CONNMARK   tcp  --  anywhere             anywhere            CONNMARK match 0x1f CONNMARK restore 
CONNMARK   tcp  --  anywhere             anywhere            ipp2p v0.7.1 --ipp2p CONNMARK set 0x1f 
CONNMARK   tcp  --  anywhere             anywhere            ipp2p v0.7.1 --ipp2p-data CONNMARK set 0x1f 
MARK       all  --  anywhere             anywhere            MARK match 0x0 MARK set 0x1f 

Chain SHAPER-OUT (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             172.16.0.0/24       
MARK       icmp --  anywhere             anywhere            MARK set 0x15 
MARK       tcp  --  anywhere             anywhere            tcp flags:!SYN,RST,ACK/ACK MARK set 0x15 
MARK       tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/ACK length 0:128 TOS match !Normal-Service MARK set 0x15 
MARK       tcp  --  anywhere             anywhere            tcp flags:SYN,RST,ACK/ACK length 128:65535 MARK set 0x1d 
MARK       udp  --  anywhere             anywhere            MARK set 0x18 
MARK       tcp  --  anywhere             anywhere            TOS match Minimize-Delay MARK match 0x0 MARK set 0x17 
MARK       tcp  --  anywhere             anywhere            tcp spts:ssh:telnet MARK set 0x16 
MARK       tcp  --  anywhere             anywhere            tcp dpts:ssh:telnet MARK set 0x16 
MARK       tcp  --  anywhere             anywhere            tcp spt:www MARK set 0x1a 
MARK       tcp  --  anywhere             anywhere            tcp dpt:www MARK set 0x1a 
MARK       tcp  --  anywhere             anywhere            tcp spt:smtp MARK set 0x1b 
MARK       tcp  --  anywhere             anywhere            tcp dpt:smtp MARK set 0x1b 
MARK       tcp  --  anywhere             anywhere            TOS match Maximize-Throughput MARK set 0x1c 
MARK       tcp  --  anywhere             anywhere            TOS match Minimize-Cost MARK set 0x1c 
CONNMARK   tcp  --  anywhere             anywhere            CONNMARK match 0x1d CONNMARK restore 
CONNMARK   tcp  --  anywhere             anywhere            ipp2p v0.7.1 --ipp2p CONNMARK set 0x1d 
CONNMARK   tcp  --  anywhere             anywhere            ipp2p v0.7.1 --ipp2p-data CONNMARK set 0x1d 
CONNMARK   udp  --  anywhere             anywhere            CONNMARK match 0x1d CONNMARK restore 
CONNMARK   udp  --  anywhere             anywhere            ipp2p v0.7.1 --ipp2p CONNMARK set 0x1d 
CONNMARK   udp  --  anywhere             anywhere            ipp2p v0.7.1 --ipp2p-data CONNMARK set 0x1d 
MARK       tcp  --  anywhere             anywhere            TOS match !Minimize-Delay tcp spt:ssh MARK set 0x1c 
MARK       tcp  --  anywhere             anywhere            TOS match !Minimize-Delay tcp dpt:ssh MARK set 0x1c 
MARK       all  --  anywhere             anywhere            MARK match 0x0 MARK set 0x1b 




^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2005-02-10  8:41 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-10  8:41 Connlimit problems and others Omar Garcia

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.