RE: limit simultaneous connections

[Zilber, Alexey]

Title: Re: limit simultaneous connections

Hi J.T.,     Just FYI, I got this working like a charm.  I found this:   http://www.redhat.com/archives/nahant-list/2005-July/msg00024.html   Got the srpm, changed the spec file and got a module built for iptables 1.2.11 for the latest CentOs plus (unsupported) kernel (2.6.9-34.107.plus.c4largesmp).   The following work like a charm:   /sbin/iptables -A OUTPUT -s 65.10.10.15 -d 172.1.1.4 -p tcp --syn --dport 25 -m connlimit --connlimit-above 25 -j REJECT /sbin/iptables -A OUTPUT -s 65.10.10.15 -d 172.1.1.4  -p tcp --syn --dport 25 -m connlimit --connlimit-above 25 -j REJECT   Where 172.1.1.4 is an internal Exchange/Bridgehead box, and 65.10.10.15 is the qmail server itself. Status output:   Chain OUTPUT (policy ACCEPT) target     prot opt source               destinationREJECT     tcp  --  65.10.10.15         172.1.1.4         tcp dpt:25 flags:0x16/0x02 #conn/32 > 20 reject-with icmp-port-unreachableREJECT     tcp  --  65.10.10.159       172.1.1.4         tcp dpt:25 flags:0x16/0x02 #conn/32 > 20 reject-with icmp-port-unreachable Fantastic!  Though for the record, doing this using patch-o-matic, and iptable 1.2.11 source package borks the kernel module compile.  Cheers to Milan Kerslager for getting these patches.   And thank you! Alex   From: J.T. Moore [mailto:[EMAIL PROTECTED] Sent: Monday, June 05, 2006 9:53 PM To: J.T. Moore; Zilber, Alexey; [EMAIL PROTECTED]; qmail-ldap@qmail-ldap.org Subject: Re: limit simultaneous connections   Alex,       You will also need the ipt_connlimit kernel module which isn't included in the generic linux kernels yet. Its inlcuded in the base repository of the iptables patch-o-matic next generation (pomng). You can get the most recent snap shot of the iptables pomng from http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/. Check out the documentation included in the archive.   J.T. ----- Original Message ----- From: J.T. Moore To: Zilber, Alexey ; [EMAIL PROTECTED] ; qmail-ldap@qmail-ldap.org Sent: Monday, June 05, 2006 9:17 PM Subject: Re: limit simultaneous connections   Alex,       The examples I posted are missing a few bits. Sorry for the confusion, You will need to specify an append (-A) or insert (-I) option and a chain (INPUT, OUTPUT, FORWARD ).Append adds the rule to the end of the chain and it will be applied if previous rules don't apply a target action (ACCEPT,REJECT, DROP, etc). Inserting adds the rule to the beginning of the chain and if it matches the packet and applies the specified target action, latter rules won't be checked or applied to it. If you're not already using iptables for other purposes, it doesn't matter which option (insert or append) that you use, but if you have other iptables rules defined, you should review them to insure proper operation. For example, if the last rule currently in the chain is to drop all packets not previously matched, and you append a new rule, the new rule will never be checked or used.   Use the INPUT chain if your linux machine running iptables  is recieving the packekts, e,g., its ip addess is 172.1.1.4 Use the OUTPUT chain If your linux machine running iptables is sending the packekts, e,g., its ip addess is 65.10.10.15 Use the FORWARD chain If your linux machine running iptables is acting as router, e.g. routing packets between 65.10.10.15 and 172.1.1.4   Using the routing/forwarding senario as an example and assuming there aren't any previous iptables rules in the FORWARD chain to drop the packets, the complete command would be:   /sbin/iptables -A FORWARD -s 65.10.10.15/32 -d 172.1.1.4/32  -p tcp --syn --dport 25 -m connlimit  --connlimit-above 2 -j REJECT   Also, you may want to drop packets rather than actively rejectiing them, depending on your goals. By default, -j REJECT sends an icmp port unreable packet to the source if the packet is rejected. You can change the icmp message type of the REJECT target with the --reject-with option. -j DROP discards the packet without sending a response. REJECT is probably what you want here.   I'm using iptables 1.3.5 on Fedora 5, but I'm pretty sure 1.2.11 supports connlimit     J.T.