RE: limit simultaneous connections

[Zilber, Alexey]

Title: Re: limit simultaneous connections

Hi J.T.,     Thanks for the details.  I think the problem I’m having is that 1.2.11 doesn’t support connlimit:   http://www.centos.org/modules/newbb/viewtopic.php?topic_id=3682&forum=27&post_id=10471#forumpost10471   I really don’t feel like building a custom kernel on this box because it needs to pretty much self-update.  I’ll research some more and see if maybe someone backported the connlimit module to 1.2.11.   Thank you! Alex   From: J.T. Moore [mailto:[EMAIL PROTECTED] Sent: Monday, June 05, 2006 9:18 PM To: Zilber, Alexey; [EMAIL PROTECTED]; qmail-ldap@qmail-ldap.org Subject: Re: limit simultaneous connections   Alex,       The examples I posted are missing a few bits. Sorry for the confusion, You will need to specify an append (-A) or insert (-I) option and a chain (INPUT, OUTPUT, FORWARD ).Append adds the rule to the end of the chain and it will be applied if previous rules don't apply a target action (ACCEPT,REJECT, DROP, etc). Inserting adds the rule to the beginning of the chain and if it matches the packet and applies the specified target action, latter rules won't be checked or applied to it. If you're not already using iptables for other purposes, it doesn't matter which option (insert or append) that you use, but if you have other iptables rules defined, you should review them to insure proper operation. For example, if the last rule currently in the chain is to drop all packets not previously matched, and you append a new rule, the new rule will never be checked or used.   Use the INPUT chain if your linux machine running iptables  is recieving the packekts, e,g., its ip addess is 172.1.1.4 Use the OUTPUT chain If your linux machine running iptables is sending the packekts, e,g., its ip addess is 65.10.10.15 Use the FORWARD chain If your linux machine running iptables is acting as router, e.g. routing packets between 65.10.10.15 and 172.1.1.4   Using the routing/forwarding senario as an example and assuming there aren't any previous iptables rules in the FORWARD chain to drop the packets, the complete command would be:   /sbin/iptables -A FORWARD -s 65.10.10.15/32 -d 172.1.1.4/32  -p tcp --syn --dport 25 -m connlimit  --connlimit-above 2 -j REJECT   Also, you may want to drop packets rather than actively rejectiing them, depending on your goals. By default, -j REJECT sends an icmp port unreable packet to the source if the packet is rejected. You can change the icmp message type of the REJECT target with the --reject-with option. -j DROP discards the packet without sending a response. REJECT is probably what you want here.   I'm using iptables 1.3.5 on Fedora 5, but I'm pretty sure 1.2.11 supports connlimit     J.T.         ----- Original Message ----- From: Zilber, Alexey To: J.T. Moore ; [EMAIL PROTECTED] ; qmail-ldap@qmail-ldap.org Sent: Monday, June 05, 2006 4:33 PM Subject: RE: limit simultaneous connections   Hi JT,     Which version of iptables is this for?  I’m running iptables v1.2.11 (this is a CentOs 4.3 box).  There doesn’t seem to be connlimit in the docs.  Maybe I’m doing something wrong.  For example, I’m trying to do something like:   /sbin/iptables -p tcp -s 65.10.10.15 -d 172.1.1.4 --syn --dport 25 -m connlimit  --connlimit-above 2 -j REJECT   Craps out this: iptables v1.2.11: no command specified Try `iptables -h' or 'iptables --help' for more information.   (Ip addresses changed to protect the innocent)   From: J.T. Moore [mailto:[EMAIL PROTECTED] Sent: Monday, May 29, 2006 10:40 PM To: Zilber, Alexey; [EMAIL PROTECTED]; qmail-ldap@qmail-ldap.org Subject: Re: limit simultaneous connections   If you're using linux, you could use iptables with a connlimit match to do this, e.g.   # rejects smtp connection if their are already 2 established connections from same source ip iptables  -p tcp --syn --dport 25 -m connlimit --connlimit-above 2 -j REJECT   # rejects smtp connection if their are already 2 established connections from same source /24 subnet iptables  -p tcp --syn --dport 25 -m connlimit --connlimit-above 2 --connlimit-mask 24  -j REJECT   J.T. ----- Original Message ----- From: Zilber, Alexey To: [EMAIL PROTECTED] ; qmail-ldap@qmail-ldap.org Sent: Monday, May 29, 2006 8:51 PM Subject: Re: limit simultaneous connections   Actually, I would love to see concurrencyremote per ip or subnet, with a default rule.. -------------------------- Sent from my BlackBerry Wireless Handheld -----Original Message----- From: Diego Zuaneti Arruda <[EMAIL PROTECTED]> To: qmail-ldap@qmail-ldap.org <qmail-ldap@qmail-ldap.org> Sent: Mon May 29 16:42:50 2006 Subject: limit simultaneous connections   Hi all,    Somebody knows some patch to limit simultaneous connections from the same IP ? Thanks. Diego.