From: Joel Newkirk <netfilter@newkirk.us>
To: Jason <baker@cyborgworkshop.com>,
Netfilter List <netfilter@lists.netfilter.org>
Subject: Re: chance to impress the suits
Date: Thu, 27 Feb 2003 02:01:04 -0500 [thread overview]
Message-ID: <200302270201.04762.netfilter@newkirk.us> (raw)
In-Reply-To: <Pine.LNX.4.50.0302261757350.18770-100000@alfred.home.cyborgworkshop.com>
On Wednesday 26 February 2003 06:57 pm, Jason wrote:
> Hello, I have been given a task that I think netfilter is ideal for,
> but need a little help. I need to be able to limit the number of
> connections going through a router running netfilter to a max of 500.
> When I hit 500, I want to reject any new connections. I know that the
> iplimit match does this, but I don't seem to be having any luck
> getting it to work. Here is the scenario..
>
> ---- ---- ----
> =A = -> Port 80 -> +NF+ -> Port 80 -> =C =
> ---- ---- ----
>
> Simple enough. NF is my netfilter router, A is source, C is
> destination. C is an application that when it gets overworked, pretty
> much tarpits connecting clients and never lets go. I have tried many
> permutations of
>
> iptables -A FORWARD -p tcp -i lan -m state --state NEW -m iplimit
> --iplimit-above 1 -j REJECT
>
> with out much luck. Does anyone have any idea on how to make iplimit
> in a router situation work? Should I apply this to the output chain?
Definitely the FORWARD chain, OUTPUT is for connections from the
firewalling box itself. Make sure this appears before any ACCEPT rules
in your FORWARD chain, too. Have you tried:
iptables -A FORWARD -i eth0 -p tcp --syn --dport 80 -m iplimit
--iplimit-above 500 -j REJECT
This is almost precisely the format of the example rule for iplimit... I
noticed you used "-i lan" above - is that a typo? You have to specify a
valid interface name, which my version presumes is eth0 for traffic from
the LAN.
When you say "without much luck" what do you mean? Everything still gets
through, nothing gets through at all, or what? Does "iptables -L -v -n"
show any matches to this rule?
j
next prev parent reply other threads:[~2003-02-27 7:01 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-26 23:57 chance to impress the suits Jason
2003-02-27 7:01 ` Joel Newkirk [this message]
2003-02-27 12:48 ` Arnt Karlsen
2003-02-27 14:17 ` Jason
2003-02-28 0:40 ` Arnt Karlsen
2003-02-27 21:21 ` Jason
2003-02-28 16:34 ` Arnt Karlsen
2003-02-28 12:53 ` Jason
2003-02-28 19:24 ` Arnt Karlsen
2003-03-01 2:04 ` Jason
2003-03-01 17:39 ` Arnt Karlsen
2003-02-27 14:11 ` Jason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200302270201.04762.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=baker@cyborgworkshop.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.