* Conntrack : limit number of NEW outgoing connections per source IP
@ 2011-01-15 8:21 Jan Rovner
2011-01-15 12:36 ` Jan Engelhardt
0 siblings, 1 reply; 2+ messages in thread
From: Jan Rovner @ 2011-01-15 8:21 UTC (permalink / raw)
To: netfilter
Hello,
I have many computers behind a SNAT router (gateway to internet). All internal Computers have assigned private IP adressess in 192.168.0.0/16 range.
I have two questions:
1) I would like to limit the RATE of newly established connections initiated by Computers, i.e. connections with NEW state in kernel conntrack. The important points:
a) I NEED to count each computer's rate counters separately (i.e. per SOURCE IP of computer establishing the connection)
b) I need to count all connection/flow type tracked by conntrack (i.e. TCP, UDP, ICMP,...)!
The solution is probably something like this - each computer is allowed to establish 5 conns per second:
iptables -A FORWARD -s internal_computer_ip1 -m state --state NEW -m limit --limit 5/second -j ACCEPT
iptables -A FORWARD -s internal_computer_ip1 -m state --state NEW -j DROP
iptables -A FORWARD -s internal_computer_ip2 -m state --state NEW -m limit --limit 5/second -j ACCEPT
iptables -A FORWARD -s internal_computer_ip2 -m state --state NEW -j DROP
iptables -A FORWARD -s internal_computer_ip3 -m state --state NEW -m limit --limit 5/second -j ACCEPT
iptables -A FORWARD -s internal_computer_ip3 -m state --state NEW -j DROP
However, there will be many rules and thus a noticable CPU usage.
Is there any suitable iptables "smart" solution for achieving this?
2) Is it possible in similar way to limit a TOTAL NUMBER of established (assured) connections per source IP?
Important - I need to count all connection/flow type tracked by conntrac (i.e. TCP, UDP, ICMP,...)!
Thank you.
Sincerely,
Jan Rovner
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Conntrack : limit number of NEW outgoing connections per source IP
2011-01-15 8:21 Conntrack : limit number of NEW outgoing connections per source IP Jan Rovner
@ 2011-01-15 12:36 ` Jan Engelhardt
0 siblings, 0 replies; 2+ messages in thread
From: Jan Engelhardt @ 2011-01-15 12:36 UTC (permalink / raw)
To: Jan Rovner; +Cc: netfilter
On Saturday 2011-01-15 09:21, Jan Rovner wrote:
>Hello,
>
>I have many computers behind a SNAT router (gateway to internet). All
>internal Computers have assigned private IP adressess in 192.168.0.0/16
>range.
>
>I have two questions:
>
>1) I would like to limit the RATE of newly established connections
>initiated by Computers, i.e. connections with NEW state in kernel
>conntrack. The important points:
>Is there any suitable iptables "smart" solution for achieving this?
Quite easy.
-i internalnetwork -m conntrack --ctstate NEW,RELATED
-m hashlimit --hashlimit-above X/Y
--hashlimit-mode srcip -j REJECT
>2) Is it possible in similar way to limit a TOTAL NUMBER of
>established (assured) connections per source IP?
-i internalnetwork -m conntrack --ctstate NEW,RELATED
-m connlimit --connlimit-above Z -j REJECT
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-01-15 12:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-01-15 8:21 Conntrack : limit number of NEW outgoing connections per source IP Jan Rovner
2011-01-15 12:36 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.