connlimit against flashget

connlimit against flashget

[Kamen TOMOV]

Hi,

I am running a small LAN and my Internet provider has limited the
number of my outgoing web connections. My clients use programs like
Flashget that spawn multiple connections to the server when
downloading big files from web sites and it is very likely that the
limit will be reached.

That is why I would like to ask you if it is a good idea to use the
connlimit match with iptables to restrict the number of parallel TCP
connections to a server per client IP address.

I plan to do something like that:

iptables -p tcp --syn --dport 80 --dst www.warez.net -m connlimit \
         --connlimit-above 2 -j REJECT

If you think that it is not a good idea could you please recommend a
solution? Changing the provider is not an option :-)

Thanks in advance,
-- 
Kamen TOMOV

Re: connlimit against flashget

[xa]

Hi,
I just quickly take a look at Apache (you didn't say what program you 
use, but on linux port 80, i'v think it could be apache)  documentation 
and, as i think, it doesn't seem that there is any options to limit 
number of connections from the same IP address... (if i'm wrong, tell me 
please)
FTP server generally have this option...
If it's good idea ? it could be.
Could you inform me if it's bad or if you find better.

(Sorry for english)

Thanks,
xa


Kamen TOMOV wrote:
> Hi,
> 
> I am running a small LAN and my Internet provider has limited the
> number of my outgoing web connections. My clients use programs like
> Flashget that spawn multiple connections to the server when
> downloading big files from web sites and it is very likely that the
> limit will be reached.
> 
> That is why I would like to ask you if it is a good idea to use the
> connlimit match with iptables to restrict the number of parallel TCP
> connections to a server per client IP address.
> 
> I plan to do something like that:
> 
> iptables -p tcp --syn --dport 80 --dst www.warez.net -m connlimit \
>          --connlimit-above 2 -j REJECT
> 
> If you think that it is not a good idea could you please recommend a
> solution? Changing the provider is not an option :-)
> 
> Thanks in advance,

Re: connlimit against flashget

[Kamen TOMOV]

On Sun, Jan 30 2005, xa wrote:

> Hi,
> I just quickly take a look at Apache (you didn't say what program
> ...

My question is about the outgoing web connections - it is not about my
web server.

Thanks anyway,
-- 
Kamen TOMOV

Re: connlimit against flashget

[Jason Opperisano]

On Sun, Jan 30, 2005 at 11:20:19AM +0200, Kamen TOMOV wrote:
> Hi,
> 
> I am running a small LAN and my Internet provider has limited the
> number of my outgoing web connections. My clients use programs like
> Flashget that spawn multiple connections to the server when
> downloading big files from web sites and it is very likely that the
> limit will be reached.
> 
> That is why I would like to ask you if it is a good idea to use the
> connlimit match with iptables to restrict the number of parallel TCP
> connections to a server per client IP address.
> 
> I plan to do something like that:
> 
> iptables -p tcp --syn --dport 80 --dst www.warez.net -m connlimit \
>          --connlimit-above 2 -j REJECT

just as an FYI--that rule does not limit the "number of parallel TCP
connections to a server per client IP address."  it limits the total
number of connections to that destination to 2, regardless of client IP
address.

someone more adept with the connlimit match will hopefully jump in and
correct me, but i *believe* if you want your limit to be 2 connections
per host IP, you would use:

  iptables -p tcp --syn --dport 80 --dst www.warez.net -m connlimit \
    --connlimit-above 2 --connlimit-mask 32 -j REJECT

-j

--
"Be careful when we capture him! We cannot claim the reward unless
 we have 51% of the carcass"
        --The Simpsons

Re: connlimit against flashget

[Jason Opperisano]

On Mon, 2005-01-31 at 11:08, Jason Opperisano wrote:
> just as an FYI--that rule does not limit the "number of parallel TCP
> connections to a server per client IP address."  it limits the total
> number of connections to that destination to 2, regardless of client IP
> address.
> 
> someone more adept with the connlimit match will hopefully jump in and
> correct me, but i *believe* if you want your limit to be 2 connections
> per host IP, you would use:
> 
>   iptables -p tcp --syn --dport 80 --dst www.warez.net -m connlimit \
>     --connlimit-above 2 --connlimit-mask 32 -j REJECT

i just tested this syntax on a test machine with:

  iptables -A INPUT -p tcp --syn --dport 22 \
    -m connlimit --connlimit-above 2 --connlimit-mask 32 \
    -j REJECT --reject-with tcp-reset

and appeared to work just as i thought--i could make 2 ssh connections
per source IP to this host.

test machine details (i know, i know--it needs to be updated):

$ uname -a
Linux vmg2 2.4.26-gentoo-r9 #2 Fri Sep 3 07:13:35 EDT 2004 i686 Intel(R)
Pentium(R) M processor 1.70GHz GenuineIntel GNU/Linux

$ iptables -V
iptables v1.2.11

connlimit match is from patch-o-matic-ng-20040621

HTH...

-j

--
"You must be the man who didn't know whether it was a blister or
 a boil.
 It was a gummi bear."
	--The Simpsons