CONNLIMIT

CONNLIMIT

[Luiz C. Spies]

Hi to all, i try many time limit my port 25 to 2 connection, but i have no
achieve success yet!!!

I tried this rulez!
iptables -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above
2 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above
2 -j REJECT
iptables -p tcp --syn --dport 25 -m connlimit --connlimit-above 2 -j REJECT
iptables -p tcp --syn --dport 25 -m connlimit ! --connlimit-above 2 -j
ACCEPT

Anyone has idea!!!???


Greeting's to all!

PS: Sorry about my english!


Luiz C. Spies

-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

CONNLIMIT

[Luiz C. Spies]

Hi to all, i try many time limit my port 25 to 2 connection, but i have no
achieve success yet!!!

I tried this rulez!
iptables -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above
2 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above
2 -j REJECT
iptables -p tcp --syn --dport 25 -m connlimit --connlimit-above 2 -j REJECT
iptables -p tcp --syn --dport 25 -m connlimit ! --connlimit-above 2 -j
ACCEPT

Anyone has idea!!!???


Greeting's to all!

PS: Sorry about my english!


Luiz C. Spies

-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

Re: CONNLIMIT

[Rio Martin.]

Try using -j DROP instead of -j REJECT
And the last rule seemed to ACCEPT all of those rules you ve applied before.
Remove it.

Regards,
Rio Martin.
---------------------------------------------------------
Network & System Engineer
Network Operation Center
INSTITUT TEKNOLOGI NASIONAL 
Email: rio@martin.mu
Website: http://www.itenas.ac.id
---------------------------------------------------------

On Wednesday 06 April 2005 20:50, Luiz C. Spies wrote:
> Hi to all, i try many time limit my port 25 to 2 connection, but i have no
> achieve success yet!!!
>
> I tried this rulez!
> iptables -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above
> 2 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
> iptables -A INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above
> 2 -j REJECT
> iptables -p tcp --syn --dport 25 -m connlimit --connlimit-above 2 -j REJECT
> iptables -p tcp --syn --dport 25 -m connlimit ! --connlimit-above 2 -j
> ACCEPT
>
> Anyone has idea!!!???
>
>
> Greeting's to all!
>
> PS: Sorry about my english!
>
>
> Luiz C. Spies

connlimit

[Martin Schiøtz]

Hi

Just installed Fedora Core 6 with:
  kernel-2.6.18-1.2869.fc6
  iptables-1.3.5-1.2.1

I want to use connlimit on a bridge (eth0 and eth1) but it gives me this error:
iptables: Unknown error 4294967295

It looks like connlimit is included in iptables
(/lib/iptables/libipt_connlimit.so) but as remember I also need
'ipt_connlimt.ko' module in the kernel. In older days I think I
compiled the kernel with:
CONFIG_IP_NF_MATCH_LIMIT=m

But when I look at the kernel config for kernel-2.6.18-1.2869.fc6 I
see something like:
CONFIG_NETFILTER_XT_MATCH_LIMIT=m

This is something about xtables - what is xtables?

Which module(s) do I need if I want to use 'connlimit'?

Do I need to patch with patch-o-matic?

:-)
Martin

connlimit

[Carlos Miranda]

After downloading patch-o-matic-20031219.tar.bz2 and running "# KERNEL_DIR=/usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.i586 ./runme pending", I could not see CONNLIMIT module to path the kernel.

anyone to tell with patch need to be installed to have connlimit working?

Thank you,
Carlos

_________________________________________________________________
Ligue para os seus amigos grátis. Faça chamadas de PC-para-PC pelo messenger-- GRÁTIS
http://get.live.com/messenger/overview

Re: connlimit

[Martin Schiøtz]

Had the same problem but discovered that you have to do:

 [root@shaper10 patch-o-matic-ng-20070108]# ./runme --download
Successfully downloaded external patch geoip
Successfully downloaded external patch condition
Successfully downloaded external patch IPMARK
Successfully downloaded external patch connlimit
Successfully downloaded external patch ipp2p
Successfully downloaded external patch time

etc.

- Martin

On 1/10/07, Carlos Miranda <cerlm@hotmail.com> wrote:
>
> After downloading patch-o-matic-20031219.tar.bz2 and running "# KERNEL_DIR=/usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.i586 ./runme pending", I could not see CONNLIMIT module to path the kernel.
>
> anyone to tell with patch need to be installed to have connlimit working?
>
> Thank you,
> Carlos
>
> _________________________________________________________________
> Ligue para os seus amigos grátis. Faça chamadas de PC-para-PC pelo messenger-- GRÁTIS
> http://get.live.com/messenger/overview
>

Re: connlimit

[ArcosCom Linux User]

./runme --download



El Mie, 10 de Enero de 2007, 15:16, Carlos Miranda escribió:
>
> After downloading patch-o-matic-20031219.tar.bz2 and running "#
> KERNEL_DIR=/usr/src/redhat/BUILD/kernel-2.6.18/linux-2.6.18.i586 ./runme
> pending", I could not see CONNLIMIT module to path the kernel.
>
> anyone to tell with patch need to be installed to have connlimit working?
>
> Thank you,
> Carlos
>
> _________________________________________________________________
> Ligue para os seus amigos grátis. Faça chamadas de PC-para-PC pelo
> messenger-- GRÁTIS
> http://get.live.com/messenger/overview
>

connlimit

[benjamin fernandis]

Hi,

I have a mail server with web server which have 500 customers site and
mail account.Since couple of days i m suffering with so many
connections.

So please guide me to configure ratelimit for that.I need to confiugre
connlimit for http , imap , imaps, pop, smtp.

and also suggest me connlimit value which is ideal for my setup.

OS REDHAT 5.5

Thanks,
Benjo

Re: connlimit

[Jan Engelhardt]

On Monday 2011-03-07 12:53, benjamin fernandis wrote:

>Hi,
>
>I have a mail server with web server which have 500 customers site and
>mail account.Since couple of days i m suffering with so many
>connections.
>
>So please guide me to configure ratelimit for that.I need to confiugre
>connlimit for http , imap , imaps, pop, smtp.
>
>and also suggest me connlimit value which is ideal for my setup.
>
>	OS REDHAT 5.5

The OS value is suboptimal, since the 5.x series's kernel and iptables 
is old and ships a broken connlimit.

Re: connlimit

[benjamin fernandis]

connlimit is working on per second basis or..........?

can i configure limit per second per ip.............


Benjo

On Mon, Mar 7, 2011 at 5:34 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Monday 2011-03-07 12:53, benjamin fernandis wrote:
>
>>Hi,
>>
>>I have a mail server with web server which have 500 customers site and
>>mail account.Since couple of days i m suffering with so many
>>connections.
>>
>>So please guide me to configure ratelimit for that.I need to confiugre
>>connlimit for http , imap , imaps, pop, smtp.
>>
>>and also suggest me connlimit value which is ideal for my setup.
>>
>>       OS REDHAT 5.5
>
> The OS value is suboptimal, since the 5.x series's kernel and iptables
> is old and ships a broken connlimit.
>

Re: connlimit

[Jan Engelhardt]

On Monday 2011-03-07 13:31, benjamin fernandis wrote:

>connlimit is working on per second basis or..........?
>
>can i configure limit per second per ip.............

The well-known version of xt_connlimit (as present in Linux 2.6.23 and 
onwards) supports groups of subnet prefixes of src addresses, and counts 
the _number of connections_. For _rates_, see xt_hashlimit and/or 
xt_rateest.
xt_connlimit in Linux 2.6.39 will support dstaddr matching.