* limiting connections @ 2004-11-01 9:26 Payal Rathod 2004-11-01 13:45 ` Jason Opperisano 0 siblings, 1 reply; 6+ messages in thread From: Payal Rathod @ 2004-11-01 9:26 UTC (permalink / raw) To: Netfilter ML Hi, As I mentioned in my previous mails, I use something like below to redirect connections from outside to my internal machine. # iptables -t nat -I PREROUTING -d <my_ext_ip> -p tcp --dport \ 8081 -j DNAT --to-destination 192.168.0.16:80 But I want only say 3 connections allowed at a time from outside. How do I do it in iptables? I am not getting the exact syntax. Thanks a lot in advance. With warm regards, -Payal ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: limiting connections 2004-11-01 9:26 limiting connections Payal Rathod @ 2004-11-01 13:45 ` Jason Opperisano 2004-11-01 14:51 ` Payal Rathod 0 siblings, 1 reply; 6+ messages in thread From: Jason Opperisano @ 2004-11-01 13:45 UTC (permalink / raw) To: netfilter On Mon, 2004-11-01 at 04:26, Payal Rathod wrote: > Hi, > As I mentioned in my previous mails, I use something like below to > redirect connections from outside to my internal machine. > # iptables -t nat -I PREROUTING -d <my_ext_ip> -p tcp --dport \ > 8081 -j DNAT --to-destination 192.168.0.16:80 > > But I want only say 3 connections allowed at a time from outside. How do I > do it in iptables? I am not getting the exact syntax. > > Thanks a lot in advance. > With warm regards, > -Payal have a look at the connlimit patch from POM. -j -- "Man, you go through life, you try to be nice to people, you struggle to resist the urge to punch 'em in the face, and for what?" --The Simpsons ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: limiting connections 2004-11-01 13:45 ` Jason Opperisano @ 2004-11-01 14:51 ` Payal Rathod 2004-11-01 15:04 ` Jason Opperisano 0 siblings, 1 reply; 6+ messages in thread From: Payal Rathod @ 2004-11-01 14:51 UTC (permalink / raw) To: Netfilter ML On Mon, Nov 01, 2004 at 08:45:42AM -0500, Jason Opperisano wrote: > have a look at the connlimit patch from POM.a Can it be done without patching? I don't mind if I can drop all connections to my external interface above say 10. i.e. only 10 people should be allowed to connect. With warm regards, -Payal ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: limiting connections 2004-11-01 14:51 ` Payal Rathod @ 2004-11-01 15:04 ` Jason Opperisano 2004-11-01 16:19 ` Payal Rathod 0 siblings, 1 reply; 6+ messages in thread From: Jason Opperisano @ 2004-11-01 15:04 UTC (permalink / raw) To: Netfilter ML On Mon, Nov 01, 2004 at 09:51:11AM -0500, Payal Rathod wrote: > On Mon, Nov 01, 2004 at 08:45:42AM -0500, Jason Opperisano wrote: > > have a look at the connlimit patch from POM.a > > Can it be done without patching? I don't mind if I can drop all > connections to my external interface above say 10. i.e. only 10 people > should be allowed to connect. > > With warm regards, > -Payal yeah, in your web server configuration, set the maximum number of simultaneous connections to 10. -j -- "Mmmm...free goo." --The Simpsons ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: limiting connections 2004-11-01 15:04 ` Jason Opperisano @ 2004-11-01 16:19 ` Payal Rathod 2004-11-01 16:33 ` Jason Opperisano 0 siblings, 1 reply; 6+ messages in thread From: Payal Rathod @ 2004-11-01 16:19 UTC (permalink / raw) To: Netfilter ML On Mon, Nov 01, 2004 at 10:04:46AM -0500, Jason Opperisano wrote: > yeah, in your web server configuration, set the maximum number of > simultaneous connections to 10. Not all webservers (especially windows based) might support it. Also what if the server in question is not a webserver but some simple server with no such capabalities. Hence I was looking at iptables to solve it for me. The reason is that I am scared to re-make a core utility such as iptables from a tar ball. I prefer rpm for such cases. I have Mandrake 10.0 (official). With warm regards, -Payal ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: limiting connections 2004-11-01 16:19 ` Payal Rathod @ 2004-11-01 16:33 ` Jason Opperisano 0 siblings, 0 replies; 6+ messages in thread From: Jason Opperisano @ 2004-11-01 16:33 UTC (permalink / raw) To: Netfilter ML On Mon, Nov 01, 2004 at 11:19:47AM -0500, Payal Rathod wrote: > On Mon, Nov 01, 2004 at 10:04:46AM -0500, Jason Opperisano wrote: > > yeah, in your web server configuration, set the maximum number of > > simultaneous connections to 10. > > Not all webservers (especially windows based) might support it. Also they should (and yes, IIS does have a max conns setting). > what if the server in question is not a webserver but some simple server with > no such capabalities. k. > Hence I was looking at iptables to solve it for me. > The reason is that I am scared to re-make a core utility such as > iptables from a tar ball. I prefer rpm for such cases. > I have Mandrake 10.0 (official). which brings us back to connlimit... take a test machine, follow the procedure for patching your kernel via POM, and instead of making and installing the kernel, do a 'make rpm' and upgrade your production firewall with that rpm (after testing it, of course)... making & installing iptables from source will default to /usr/local/sbin, so it won't interfere with your rpm-installed iptables. the question "i want a feature from POM, but don't want to have to compile anything" isn't very much in the spirit of linux, IMHO...maybe i'm just a crusty old man in that respect. -j -- "Lisa, if the Bible has taught us nothing else, and it hasn't, it's that girls should stick to girls sports, such as hot oil wrestling and foxy boxing and such and such." --The Simpsons ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2004-11-01 16:33 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-11-01 9:26 limiting connections Payal Rathod 2004-11-01 13:45 ` Jason Opperisano 2004-11-01 14:51 ` Payal Rathod 2004-11-01 15:04 ` Jason Opperisano 2004-11-01 16:19 ` Payal Rathod 2004-11-01 16:33 ` Jason Opperisano
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.