Limitations on connections

Limitations on connections

[Christos Panagiotakis]

Hi people!

Please don't flame/blame me I don't know much about iptables (yet, I
hope so.. :-)

I was wondering if I can limit the established connections on a specific port
using iptables rules.

For example, lets say that we have an irc daemon (ircd) running on 6667,6668 etc
and/or (another example to be more specific) a shout cast streaming server
listening to 8000 or other port.

Can I limit on a) ircd the users connecting or b) e.g. the listeners
on shout cast to a
specific number?
Lets say that I don't want more than 20 listeners simultaneously.
If I am not wrong, that means I don't want more than 20 established
connections on port 8000.

Is this possible using iptables rules and if yes, it is going to work
properly ?

-- 
Κατά βάθος είμαι χαρούμενος, διότι δεν περιμένω να μου συμβεί κάτι για
να νιώσω καλά.

Re: Limitations on connections

[Grant Taylor]

On 6/10/2007 4:12 AM, Christos Panagiotakis wrote:
> I was wondering if I can limit the established connections on a specific 
> port using iptables rules.

Try taking a look at the connlimit match extension:

http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-connlimit



Grant. . . .

Re: Limitations on connections

[Martijn Lievaart]

Christos Panagiotakis wrote:
> Hi people!
>
> Please don't flame/blame me I don't know much about iptables (yet, I
> hope so.. :-)
>
> I was wondering if I can limit the established connections on a 
> specific port
> using iptables rules.
>
> For example, lets say that we have an irc daemon (ircd) running on 
> 6667,6668 etc
> and/or (another example to be more specific) a shout cast streaming 
> server
> listening to 8000 or other port.
>
> Can I limit on a) ircd the users connecting or b) e.g. the listeners
> on shout cast to a
> specific number?
> Lets say that I don't want more than 20 listeners simultaneously.
> If I am not wrong, that means I don't want more than 20 established
> connections on port 8000.
>
> Is this possible using iptables rules and if yes, it is going to work
> properly ?
>

Yes this is possible using connlimit. It SHOULD work properly, but as I 
haven't used it for a while I cannot comment on how it works. It may 
also be dependent on your kernel version if you need to patch your 
kernel or wether it is already included.

M4

Re: Limitations on connections

[Jan Kogut]

Martijn Lievaart wrote:
> Christos Panagiotakis wrote:
>> Hi people!
>>
>> Please don't flame/blame me I don't know much about iptables (yet, I
>> hope so.. :-)
>>
>> I was wondering if I can limit the established connections on a
>> specific port
>> using iptables rules.
>>
>> For example, lets say that we have an irc daemon (ircd) running on
>> 6667,6668 etc
>> and/or (another example to be more specific) a shout cast streaming
>> server
>> listening to 8000 or other port.
>>
>> Can I limit on a) ircd the users connecting or b) e.g. the listeners
>> on shout cast to a
>> specific number?
>> Lets say that I don't want more than 20 listeners simultaneously.
>> If I am not wrong, that means I don't want more than 20 established
>> connections on port 8000.
>>
>> Is this possible using iptables rules and if yes, it is going to work
>> properly ?
>>
>
> Yes this is possible using connlimit. It SHOULD work properly, but as
> I haven't used it for a while I cannot comment on how it works. It may
> also be dependent on your kernel version if you need to patch your
> kernel or wether it is already included.
>
> M4
>
Hello,

if You are using Debian (Etch), here is a nice tutorial how to compile
iptables with p-o-m and kernel.

http://www.howtoforge.com/forums/archive/index.php/t-21.html

Cheers,
JK


-- 
Regards,

Jan Kogut
Computer Systems Administrator
Laboratory of Bioinformatics and Protein Engineering
International Institute of Molecular and Cell Biology

ul. Ks. Trojdena 4
02-109 Warsaw, Poland 
http://genesilico.pl


:.