one rule to create per IP connlimits?

one rule to create per IP connlimits?

[rabbtux rabbtux]

All,

Is there anyway I could create a rule that would create a tcp
connection limit (say 20) for traffic from say 10.10.2.96/27 that
would apply to each of the 32 IPs.  That is each address,
10.10.2.96-127 would be limited to 20 connections??  Or do I need to
make up one iptables rule per address?

It sure would be nice if I could do this with one rule per address
block, as I have several hundred addresses to limit!

Thanks in advance - marshall

Re: one rule to create per IP connlimits?

[Toby DiPasquale]

On 4/21/06, rabbtux rabbtux <rabbtux@gmail.com> wrote:
> All,
>
> Is there anyway I could create a rule that would create a tcp
> connection limit (say 20) for traffic from say 10.10.2.96/27 that
> would apply to each of the 32 IPs.  That is each address,
> 10.10.2.96-127 would be limited to 20 connections??  Or do I need to
> make up one iptables rule per address?

One rule per address.

> It sure would be nice if I could do this with one rule per address
> block, as I have several hundred addresses to limit!

Sure would.

--
Toby DiPasquale
0x636f6465736c696e67657240676d61696c2e636f6d

Re: one rule to create per IP connlimits?

[robee]

----- Original Message ----- 
From: "rabbtux rabbtux" <rabbtux@gmail.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, April 21, 2006 9:01 PM
Subject: one rule to create per IP connlimits?

> All,
> Is there anyway I could create a rule that would create a tcp
> connection limit (say 20) for traffic from say 10.10.2.96/27 that
> would apply to each of the 32 IPs.  That is each address,
> 10.10.2.96-127 would be limited to 20 connections??  Or do I need to
> make up one iptables rule per address?
> It sure would be nice if I could do this with one rule per address
> block, as I have several hundred addresses to limit!
> Thanks in advance - marshall

maybe this way:

iptables -I FORWARD -p tcp --syn -s 10.10.2.96/27 -m 
connlimit --connlimit-above 20 -j REJECT

or

iptables -I FORWARD -p tcp --syn -m iprange --src-range 
10.10.2.96-10.10.2.127 -m connlimit --connlimit-above 20 -j REJECT



robee 

Re: one rule to create per IP connlimits?

[Toby DiPasquale]

On 4/22/06, robee <mlody@elpec.com> wrote:
> maybe this way:
>
> iptables -I FORWARD -p tcp --syn -s 10.10.2.96/27 -m
> connlimit --connlimit-above 20 -j REJECT
>
> or
>
> iptables -I FORWARD -p tcp --syn -m iprange --src-range
> 10.10.2.96-10.10.2.127 -m connlimit --connlimit-above 20 -j REJECT

Those both still allow one IP to use up all the connections, leaving
none for the others.

To do this, the connlimit module would have to keep track of
individual conntracks, not just aggregate numbers. It doesn't right
now, but it could be made to do so.

--
Toby DiPasquale
0x636f6465736c696e67657240676d61696c2e636f6d

Re: one rule to create per IP connlimits?

[robee]

Dnia 22-04-2006, sob o godzinie 09:15 -0400, Toby DiPasquale napisa³(a):
> On 4/22/06, robee <mlody@elpec.com> wrote:
> > maybe this way:
> >
> > iptables -I FORWARD -p tcp --syn -s 10.10.2.96/27 -m
> > connlimit --connlimit-above 20 -j REJECT
> >
> > or
> >
> > iptables -I FORWARD -p tcp --syn -m iprange --src-range
> > 10.10.2.96-10.10.2.127 -m connlimit --connlimit-above 20 -j REJECT
> 
> Those both still allow one IP to use up all the connections, leaving
> none for the others.
> 
> To do this, the connlimit module would have to keep track of
> individual conntracks, not just aggregate numbers. It doesn't right
> now, but it could be made to do so.
> 
> --
> Toby DiPasquale
> 0x636f6465736c696e67657240676d61696c2e636f6d
> 

do you mean it shoud be indyvidual rule for each IP separatelly?

robee

Re: one rule to create per IP connlimits?

[Toby DiPasquale]

On 4/22/06, robee <mlody@elpec.com> wrote:
> do you mean it shoud be indyvidual rule for each IP separatelly?

Yes, that's right. So, instead of this:

iptables -A FORWARD -p tcp --syn -s 10.10.2.96/27 -m connlimit
--connlimit-above 20 -j REJECT

which will not do what you want, you'd instead use something this:

for i in `seq 97 126`; do
    iptables -A FORWARD \
        -p tcp --syn \
        -s 10.10.2.${i} \
        -m connlimit --connlimit-above 20 \
        -j REJECT
done

--
Toby DiPasquale
0x636f6465736c696e67657240676d61696c2e636f6d

Re: one rule to create per IP connlimits?

[Carl-Daniel Hailfinger]

Hi,

Toby DiPasquale schrieb:
> To do this, the connlimit module would have to keep track of
> individual conntracks, not just aggregate numbers. It doesn't right
> now, but it could be made to do so.

Do you have any plans to change that? If no, do you know if anybody
is maintaining connlimit right now?

I'd like a combination of hashlimit and connlimit which also works
for UDP so I can limit the number of simultaneous connections per
IP to avoid overflowing the conntrack table of upstream firewalls.


Regards,
Carl-Daniel
-- 
http://www.hailfinger.org/

Re: one rule to create per IP connlimits?

[Toby DiPasquale]

On 4/23/06, Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net> wrote:
> Do you have any plans to change that?

OK, so apparently I was wrong. I just checked the source code and this
is fact what connlimit does now. It keeps a hash of conntrack entries
and counts them up when it gets fired. Therefore, the original rule
proposed by robee would in fact work as rabbtux thought:

iptables -A FORWARD -p tcp --syn -s 10.10.2.96/27 -m connlimit
--connlimit-above 20 -j REJECT

What this is really saying is: If the IP is between 10.10.2.97 and
10.10.2.126 and we find more than 20 connections from this IP right
now in our internal table, jump to the REJECT target.

You can specify the --connlimit-mask option to tell it to limit based
on something more than a /32, but if you don't specify, /32 is the
default. The rule should still probably be used with "-j REJECT
--reject-with tcp-reset", though.

Here's the information on the usage of the rule from netfilter.org:

<snip>
This adds an iptables match which allows you to restrict the
number of parallel TCP connections to a server per client IP address
(or address block).

Examples:

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized
# network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
	--connlimit-mask 24 -j REJECT
</snip>

> I'd like a combination of hashlimit and connlimit which also works
> for UDP so I can limit the number of simultaneous connections per
> IP to avoid overflowing the conntrack table of upstream firewalls.

connlimit was designed with TCP in mind and will refuse to be loaded
with anything other than -p tcp. This is because it wants to make sure
you're using --syn to only operate on the first packet of a
connection, and also b/c it will dump some conntrack entries in its
hashtable if the TCP state indicates that the connection is
terminated.

As well, I'm not so sure the combination of the two would be a good
idea. I think you'd want the connlimit rules fronting for the
hashlimit rules. Having both in one module makes changes to the
ruleset more coarse-grained, which could potentially lead to requiring
bigger changes to do what you want to do later on down the road.

Sorry about my initial confusion on this whole thing: I was thinking
of a different, older *limit rule.

--
Toby DiPasquale
0x636f6465736c696e67657240676d61696c2e636f6d