limiting connections

limiting connections

[Payal Rathod]

Hi,
As I mentioned in my previous mails, I use something like below to
redirect connections from outside to my internal machine.
# iptables -t nat -I PREROUTING -d <my_ext_ip> -p tcp --dport \
8081 -j DNAT --to-destination 192.168.0.16:80

But I want only say 3 connections allowed at a time from outside. How do I 
do it in iptables?  I am not getting the exact syntax.

Thanks a lot in advance.
With warm regards,
-Payal

Re: limiting connections

[Jason Opperisano]

On Mon, 2004-11-01 at 04:26, Payal Rathod wrote:
> Hi,
> As I mentioned in my previous mails, I use something like below to
> redirect connections from outside to my internal machine.
> # iptables -t nat -I PREROUTING -d <my_ext_ip> -p tcp --dport \
> 8081 -j DNAT --to-destination 192.168.0.16:80
> 
> But I want only say 3 connections allowed at a time from outside. How do I 
> do it in iptables?  I am not getting the exact syntax.
> 
> Thanks a lot in advance.
> With warm regards,
> -Payal

have a look at the connlimit patch from POM.

-j

--
"Man, you go through life, you try to be nice to people, you struggle
to resist the urge to punch 'em in the face, and for what?"
	--The Simpsons

Re: limiting connections

[Payal Rathod]

On Mon, Nov 01, 2004 at 08:45:42AM -0500, Jason Opperisano wrote:
> have a look at the connlimit patch from POM.a

Can it be done without patching? I don't mind if I can drop all
connections to my external interface above say 10. i.e. only 10 people 
should be allowed to connect.

With warm regards,
-Payal

Re: limiting connections

[Jason Opperisano]

On Mon, Nov 01, 2004 at 09:51:11AM -0500, Payal Rathod wrote:
> On Mon, Nov 01, 2004 at 08:45:42AM -0500, Jason Opperisano wrote:
> > have a look at the connlimit patch from POM.a
> 
> Can it be done without patching? I don't mind if I can drop all
> connections to my external interface above say 10. i.e. only 10 people 
> should be allowed to connect.
> 
> With warm regards,
> -Payal

yeah, in your web server configuration, set the maximum number of
simultaneous connections to 10.

-j

--
"Mmmm...free goo."
	--The Simpsons

Re: limiting connections

[Payal Rathod]

On Mon, Nov 01, 2004 at 10:04:46AM -0500, Jason Opperisano wrote:
> yeah, in your web server configuration, set the maximum number of
> simultaneous connections to 10.

Not all webservers (especially windows based) might support it. Also
what if the server in question is not a webserver but some simple server with 
no such capabalities. Hence I was looking at iptables to solve it for me.
The reason is that I am scared to re-make a core utility such as
iptables from  a tar ball. I prefer rpm for such cases.
I have Mandrake 10.0 (official).
With warm regards,
-Payal

Re: limiting connections

[Jason Opperisano]

On Mon, Nov 01, 2004 at 11:19:47AM -0500, Payal Rathod wrote:
> On Mon, Nov 01, 2004 at 10:04:46AM -0500, Jason Opperisano wrote:
> > yeah, in your web server configuration, set the maximum number of
> > simultaneous connections to 10.
> 
> Not all webservers (especially windows based) might support it. Also

they should (and yes, IIS does have a max conns setting).

> what if the server in question is not a webserver but some simple server with 
> no such capabalities.

k.

> Hence I was looking at iptables to solve it for me.
> The reason is that I am scared to re-make a core utility such as
> iptables from  a tar ball. I prefer rpm for such cases.
> I have Mandrake 10.0 (official).

which brings us back to connlimit...  take a test machine, follow the
procedure for patching your kernel via POM, and instead of making and
installing the kernel, do a 'make rpm' and upgrade your production
firewall with that rpm (after testing it, of course)...  making &
installing iptables from source will default to /usr/local/sbin, so it
won't interfere with your rpm-installed iptables.

the question "i want a feature from POM, but don't want to have to
compile anything" isn't very much in the spirit of linux, IMHO...maybe
i'm just a crusty old man in that respect.

-j

--
"Lisa, if the Bible has taught us nothing else, and it hasn't, it's
that girls should stick to girls sports, such as hot oil wrestling
and foxy boxing and such and such."
        --The Simpsons