[LARTC] ip_conntrack limit --- torrent , DC++ , eMule

[LARTC] ip_conntrack limit --- torrent , DC++ , eMule

[foxy 202]

Hi all,
 i need advice how can i limit ip_conntrack per IP. 
clients of network that i support often uses  torrent , DC++ , eMule
clients and i have lost packages  because they open too many ports.

i have traffic control limits but this obviously isn't enough 

Any advance how to prevent server from this kind problems will be welcome.



Best regards
Emil
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] ip_conntrack limit --- torrent , DC++ , eMule

[gypsy]

foxy 202 wrote:
> 
> Hi all,
>  i need advice how can i limit ip_conntrack per IP.
> clients of network that i support often uses  torrent , DC++ , eMule
> clients and i have lost packages  because they open too many ports.
> 
> i have traffic control limits but this obviously isn't enough
> 
> Any advance how to prevent server from this kind problems will be welcome.
> 
> Best regards
> Emil

The first hit from google on 'netfilter limit per ip'
returns:

>Try the "dstlimit" match in current versions of netfilter.

> Quoting from the man page: "This module allows you to  limit  the  packet  per  
> second (pps) rate on a per destination IP or per destination port base.  As 
> opposed to the `limit' match, every  destination ip / destination port has 
> it's own limit."

So what's wrong with YOUR google search?
--
Gypsy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] ip_conntrack limit --- torrent , DC++ , eMule

[gypsy]

foxy 202 wrote:
> 
> I couldn't find any info how to limit IP to open for example over 200
> ip_conntrack  connections , not only for  single port for  with dport
>  I found connlimit
>     http://netfilter.org/patch-o-matic/pom-base.html#pom-base-connlimit
> 
> but there is port … I cannot limit hole IP
> 
> How can I prevent network from
> ip_conntrack: table full, dropping packet.
> ip_conntrack: table full, dropping packet.
> Increasing of ip_conntrack_max cannot be without limits……
> 
> Any suggestions are welcome

Use your judgement, but I compiled my 2.4 kernel reducing the
tcp_timeout_established from 5 days to 2 days in
src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c which I personally
think is still far too long.  Any TCP connection that is cca 5 minutes
without activity is DEAD AFAIAC.

Don't forget the Layer 7 stuff.  However, finding something to match
becomes ever more difficult.

Google may help with conntrack_max limit?
--
gypsy

> On 5/17/05, gypsy <gypsy@iswest.com> wrote:
> > foxy 202 wrote:
> > >
> > > Hi all,
> > >  i need advice how can i limit ip_conntrack per IP.
> > > clients of network that i support often uses  torrent , DC++ , eMule
> > > clients and i have lost packages  because they open too many ports.
> > >
> > > i have traffic control limits but this obviously isn't enough
> > >
> > > Any advance how to prevent server from this kind problems will be welcome.
> > >
> > > Best regards
> > > Emil
> >
> > The first hit from google on 'netfilter limit per ip'
> > returns:
> >
> > >Try the "dstlimit" match in current versions of netfilter.
> >
> > > Quoting from the man page: "This module allows you to  limit  the  packet  per
> > > second (pps) rate on a per destination IP or per destination port base.  As
> > > opposed to the `limit' match, every  destination ip / destination port has
> > > it's own limit."
> >
> > So what's wrong with YOUR google search?
> > --
> > Gypsy
> >
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] ip_conntrack limit --- torrent , DC++ , eMule

[Krystian Antoni]

[-- Attachment #1.1: Type: text/plain, Size: 684 bytes --]

i think hashlimit is the new dstlimit with wider capabilities

On 5/16/05, foxy 202 <foxy202@gmail.com> wrote: 
> 
> Hi all,
> i need advice how can i limit ip_conntrack per IP.
> clients of network that i support often uses torrent , DC++ , eMule
> clients and i have lost packages because they open too many ports.
> 
> i have traffic control limits but this obviously isn't enough
> 
> Any advance how to prevent server from this kind problems will be welcome.
> 
> 
> 
> Best regards
> Emil
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 



-- 
Miłego Dnia
Krystian Antoni

[-- Attachment #1.2: Type: text/html, Size: 1101 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc