* [LARTC] Session Limiting per host
@ 2006-12-20 22:43 Mark Dueck
2006-12-21 0:03 ` Grant Taylor
0 siblings, 1 reply; 2+ messages in thread
From: Mark Dueck @ 2006-12-20 22:43 UTC (permalink / raw)
To: lartc
Someone else asked a similar question a few weeks ago, but he wanted
to do some advanced "if this then that" session limiting.. Has
someone here done session limiting per host?
My situation is this: I have 2 direcway (Hughes now) satellites that
I'm sharing out to some clients. I only get about 50 sessions per
sat, so if any one of my clients has limewire or emule open with it's
default sessions set to 300, no one can browse, or it's extremely sluggish.
I had a Hotbrick doing the dual wan, and it had session limiting per
IP address. Now the hotbrick failed on me, and I need something else
to limit the sessions. Just a simple limit of say 15 sessions per
IP, or 15 new sessions / second per IP.
This site
http://www.gentoo.org/doc/en/articles/dynamic-iptables-firewalls.xml#doc_chap3
has some very good scripts, one that almost does that, but it's not a
"through traffic" limit. It's a limit directly to itself. Will this
work, or what modifications would need to be made to it? I'm not
really advanced enough in linux, and have not had the time to really try it.
Thanks
Mark
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] Session Limiting per host
2006-12-20 22:43 [LARTC] Session Limiting per host Mark Dueck
@ 2006-12-21 0:03 ` Grant Taylor
0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2006-12-21 0:03 UTC (permalink / raw)
To: lartc
Mark Dueck wrote:
> My situation is this: I have 2 direcway (Hughes now) satellites that I'm
> sharing out to some clients. I only get about 50 sessions per sat, so
> if any one of my clients has limewire or emule open with it's default
> sessions set to 300, no one can browse, or it's extremely sluggish.
>
> I had a Hotbrick doing the dual wan, and it had session limiting per IP
> address. Now the hotbrick failed on me, and I need something else to
> limit the sessions. Just a simple limit of say 15 sessions per IP, or
> 15 new sessions / second per IP.
Take a look at the connlimit match extension.
connlimit
Allows you to restrict the number of parallel TCP connections to a
server per client IP address (or address block).
[!] --connlimit-above n
match if the number of existing tcp connections is (not) above n
--connlimit-mask bits
group hosts using mask Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2
-j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2
-j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network
(24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
--connlimit-mask 24 -j REJECT
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-12-21 0:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-20 22:43 [LARTC] Session Limiting per host Mark Dueck
2006-12-21 0:03 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox