* Limit
[not found] <20050826145640.A122EA5CAC9@smtp.orbitel.bg>
@ 2005-08-26 20:38 ` Lyubomir Louisov
2005-08-26 21:05 ` Limit Taylor, Grant
0 siblings, 1 reply; 6+ messages in thread
From: Lyubomir Louisov @ 2005-08-26 20:38 UTC (permalink / raw)
To: netfilter
So how can i limit the number of connections on port 3333 to no more than 10
at a time with iptable?
Is it posible?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Limit
2005-08-26 20:38 ` Limit Lyubomir Louisov
@ 2005-08-26 21:05 ` Taylor, Grant
2005-08-26 21:18 ` Limit Damon Gray
2005-08-26 21:28 ` Limit Daniel Lopes
0 siblings, 2 replies; 6+ messages in thread
From: Taylor, Grant @ 2005-08-26 21:05 UTC (permalink / raw)
To: netfilter
Take a look at the connlimit match extension.
iptables -t filter -A INPUT -i ${WAN} -d ${WANIPAddress} -p tcp --dport 3333 -m connlimit --connlimit-above 10 -j DROP
Grant. . . .
Lyubomir Louisov wrote:
> So how can i limit the number of connections on port 3333 to no more than 10
> at a time with iptable?
> Is it posible?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Limit
2005-08-26 21:05 ` Limit Taylor, Grant
@ 2005-08-26 21:18 ` Damon Gray
2005-08-26 21:28 ` Limit Daniel Lopes
1 sibling, 0 replies; 6+ messages in thread
From: Damon Gray @ 2005-08-26 21:18 UTC (permalink / raw)
To: Taylor, Grant; +Cc: netfilter
I agree connlimit is currently the way to go, however I would make two
modifications to the example below.
iptables -t filter -A INPUT -i ${WAN} -d ${WANIPAddress}
-p tcp --syn --dport 3333 -m connlimit --connlimit-above 10
-j REJECT --reject-with tcp-reset
Notice the --syn and -j REJECT. I prefer rejects because if you just drop
the SYN packets most TCP stacks (by RFC) send up to 4 or 5 more to make
sure they got through. You could also send an icmp port unreachable or
something as well.
-Damon-
On Fri, 26 Aug 2005, Taylor, Grant wrote:
> Take a look at the connlimit match extension.
>
> iptables -t filter -A INPUT -i ${WAN} -d ${WANIPAddress} -p tcp --dport 3333 -m connlimit --connlimit-above 10 -j DROP
>
>
>
> Grant. . . .
>
> Lyubomir Louisov wrote:
>> So how can i limit the number of connections on port 3333 to no more than 10
>> at a time with iptable?
>> Is it posible?
>
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Limit
2005-08-26 21:28 ` Limit Daniel Lopes
@ 2005-08-26 21:24 ` Damon Gray
2005-08-26 21:33 ` Limit Taylor, Grant
0 siblings, 1 reply; 6+ messages in thread
From: Damon Gray @ 2005-08-26 21:24 UTC (permalink / raw)
To: Daniel Lopes; +Cc: netfilter
There is a way with connlimit to limit from all IPs, add a
--connlimit-mask 0
On Fri, 26 Aug 2005, Daniel Lopes wrote:
> Taylor, Grant schrieb:
>> Take a look at the connlimit match extension.
>>
>> iptables -t filter -A INPUT -i ${WAN} -d ${WANIPAddress} -p tcp --dport
>> 3333 -m connlimit --connlimit-above 10 -j DROP
>>
>>
>>
>> Grant. . . .
>>
>> Lyubomir Louisov wrote:
>>
>>> So how can i limit the number of connections on port 3333 to no more than
>>> 10
>>> at a time with iptable?
>>> Is it posible?
>>
>>
>>
>>
> I first thought about the same thing. But that will allow more than 10
> connections in total. It will allow only 10 connections per IP but afaik in
> total it can then be alot more than 10 depending on the IPs connecting. Don't
> know how you can limit it to 10 connections in total but there must be a way
> with so much options being available for iptables ;). Please correct me if I
> am wrong.
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Limit
2005-08-26 21:05 ` Limit Taylor, Grant
2005-08-26 21:18 ` Limit Damon Gray
@ 2005-08-26 21:28 ` Daniel Lopes
2005-08-26 21:24 ` Limit Damon Gray
1 sibling, 1 reply; 6+ messages in thread
From: Daniel Lopes @ 2005-08-26 21:28 UTC (permalink / raw)
To: netfilter
Taylor, Grant schrieb:
> Take a look at the connlimit match extension.
>
> iptables -t filter -A INPUT -i ${WAN} -d ${WANIPAddress} -p tcp --dport 3333 -m connlimit --connlimit-above 10 -j DROP
>
>
>
> Grant. . . .
>
> Lyubomir Louisov wrote:
>
>>So how can i limit the number of connections on port 3333 to no more than 10
>>at a time with iptable?
>>Is it posible?
>
>
>
>
I first thought about the same thing. But that will allow more than 10
connections in total. It will allow only 10 connections per IP but afaik
in total it can then be alot more than 10 depending on the IPs
connecting. Don't know how you can limit it to 10 connections in total
but there must be a way with so much options being available for
iptables ;). Please correct me if I am wrong.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Limit
2005-08-26 21:24 ` Limit Damon Gray
@ 2005-08-26 21:33 ` Taylor, Grant
0 siblings, 0 replies; 6+ messages in thread
From: Taylor, Grant @ 2005-08-26 21:33 UTC (permalink / raw)
To: netfilter
*nod* You are quite correct sir.
iptables -t filter -A INPUT -i ${WAN} -d ${WANIPAddress} -p tcp --dport 3333 -m connlimit --connlimit-mask 0 --connlimit-above 10 -j DROP
Grant. . . .
Damon Gray wrote:
>
> There is a way with connlimit to limit from all IPs, add a
> --connlimit-mask 0
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-08-26 21:33 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20050826145640.A122EA5CAC9@smtp.orbitel.bg>
2005-08-26 20:38 ` Limit Lyubomir Louisov
2005-08-26 21:05 ` Limit Taylor, Grant
2005-08-26 21:18 ` Limit Damon Gray
2005-08-26 21:28 ` Limit Daniel Lopes
2005-08-26 21:24 ` Limit Damon Gray
2005-08-26 21:33 ` Limit Taylor, Grant
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.