Re: limiting number of concurrent tcp sessions

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tony Earnshaw <tonye@billy.demon.nl>
To: Netfilter Discussions <netfilter@lists.netfilter.org>
Subject: Re: limiting number of concurrent tcp sessions
Date: Mon, 22 Mar 2004 16:44:46 +0100	[thread overview]
Message-ID: <1079970285.19134.53.camel@localhost> (raw)
In-Reply-To: <20040322125944.GA9496@oasis.frogfoot.net>

man, 22.03.2004 kl. 13.59 skrev Abraham van der Merwe:

> Is there a way to limit the number of concurrent tcp sessions per host/ip
> flowing through a machine in Linux?
> 
> There used to be a match for iptables which seems like it may be able to do
> the job, but it doesn't seem to exist anymore:
> 
> ------------< snip <------< snip <------< snip <------------
> iplimit v1.2.8 options:
> [!] --iplimit-above n           match if the number of existing tcp
> connections is (not) above n
>  --iplimit-mask n               group hosts using mask
> ------------< snip <------< snip <------< snip <------------

This is half an answer ;) I've kernel-org 2.6.4 ACPI on this machine,
Netfilter 1.2.9 and the required POM. This is thus a new Netfilter
installation. The HOWTO describes iplimit, but for my installation there
was no such thing. I found out that if one substitutes the word
"connlimit" for "iplimit", then everything written about iplimit applies
to connlimit.

The bad news is, that what I'm trying doesn't work for me :(

I have a rule:

iptables -A INPUT -i $IFACE0 -s 194.159.xx.xx -p tcp --syn --dport smtp
-m connlimit --connlimit-above 1 -j LOG --log-prefix "fp=2nd Mailkick:1
a=REJECT "
iptables -A INPUT -i $IFACE0 -s 194.159.73.24 -p tcp --syn --dport smtp
-m connlimit --connlimit-above 1 -j REJECT

(xx.xx for a bit of anonymity, the funny fp and a LOG prefixes are for
my Fireparse reporter).

However, the rule doesn't work, or connlimit doesn't work, for some
reason.

lsmod:

ipt_connlimit           3200  2
ipt_LOG                 5440  12
ipt_state               1856  72
ipt_REJECT              6656  14
ipt_limit               2240  1
iptable_filter          2752  1
ip_tables              17808  6
ipt_connlimit,ipt_LOG,ipt_state,ipt_REJECT,ipt_limit,iptable_filter

-rwxr-xr-x    1 root     root         4173 mar 17 21:56
/usr/local/lib/iptables/libipt_connlimit.so

So I guess my question would be: Why?

Best,

--Tonny

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

     prev parent reply	other threads:[~2004-03-22 15:44 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-03-22 12:59 limiting number of concurrent tcp sessions Abraham van der Merwe
2004-03-22 15:44 ` Tony Earnshaw [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1079970285.19134.53.camel@localhost \
    --to=tonye@billy.demon.nl \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.