Re: [LARTC] limit number of connections per ip
So Rasmus, If I put a limit into TCP connections it will reflect into UDP conections over the same source IP? How can I make a limit into TCP connections? Att, Nataniel Klug - Original Message - From: Rasmus Melgaard [EMAIL PROTECTED] To: lartc@mailman.ds9a.nl Sent: Thursday, February 02, 2006 7:17 PM Subject: Re: [LARTC] limit number of connections per ip Well, only TCP has connections, UDP has non it is only a stream of packets. So for each user (IP) you could make a class for TCP and one for UDP. IP /\ TCP UDP The TCP class you already know how to limit, the UDP class I would limit with pfifo with a suitable packet limit setting (in pratice this would lead to det same effect as the TCP conn. limiting). Although not a hard limit. Extra: I would make a seperate high prio class for ICMP to communicate error, connection failures back and forth. NB! P2P normally used TCP (I know the bittorent does) BR Rasmus Melgaard On Thursday 02 February 2006 21:58, Jan Tomak wrote: Hello! I've read a lot of mail archives, but can't find solutions for my problem. I have router with about 700 users. I'm using HTB with SFQ leaf qdiscs for every user (client ip). So, different IP can have its own rate limit. This scheme ir working fine for a long time. But how can I limit number of connections (sessions) from one host? I see from ip_conntrack that some of users have more than 1000 active connections (mostly P2P udp). As I know there is connlimit patch for iptables, but it capable to limit only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth more fairly, but inside one class. In my case every user have its own class and I'm not able to control how many connections simultaneously they do implementy ESFQ! Also I don't understand how to deal with it from iptables side - connlimit will not help with UDP. What can be done in my case? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] limit number of connections per ip
Hello!I've read a lot of mail archives, but can't find solutions for my problem. I have router with about 700 users. I'm using HTB with SFQ leaf qdiscs for every user (client ip). So, different IP can haveits own rate limit. This scheme ir working fine for a long time. But how can I limit number of connections (sessions) from one host? I see from ip_conntrack that some of users have more than 1000 active connections (mostly P2P udp). As I know there is connlimit patch for iptables, but it capable to limit only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth more fairly, but inside one class. In my case every user have its own class and I'm not able to control how many connections simultaneously they do implementy ESFQ! Also I don't understand how to deal with it from iptables side - connlimit will not help with UDP.What can be done in my case?__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] limit number of connections per ip
Well, only TCP has connections, UDP has non it is only a stream of packets. So for each user (IP) you could make a class for TCP and one for UDP. IP /\ TCP UDP The TCP class you already know how to limit, the UDP class I would limit with pfifo with a suitable packet limit setting (in pratice this would lead to det same effect as the TCP conn. limiting). Although not a hard limit. Extra: I would make a seperate high prio class for ICMP to communicate error, connection failures back and forth. NB! P2P normally used TCP (I know the bittorent does) BR Rasmus Melgaard On Thursday 02 February 2006 21:58, Jan Tomak wrote: Hello! I've read a lot of mail archives, but can't find solutions for my problem. I have router with about 700 users. I'm using HTB with SFQ leaf qdiscs for every user (client ip). So, different IP can have its own rate limit. This scheme ir working fine for a long time. But how can I limit number of connections (sessions) from one host? I see from ip_conntrack that some of users have more than 1000 active connections (mostly P2P udp). As I know there is connlimit patch for iptables, but it capable to limit only tcp sessions. And there is ESFQ qdisc, allowing to divide bandwidth more fairly, but inside one class. In my case every user have its own class and I'm not able to control how many connections simultaneously they do implementy ESFQ! Also I don't understand how to deal with it from iptables side - connlimit will not help with UDP. What can be done in my case? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Limit number of connections
On Tuesday 23 September 2003 12:51, [EMAIL PROTECTED] wrote: Hello Rio, Tuesday, September 23, 2003, 5:42:03 AM, you wrote: Or you can use patch-o-matic connlimit + MARK. This adds CONFIG_IP_NF_MATCH_CONNLIMIT match allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Yes, this is good, but i havent tried iptables patch-o-matic before.. Could you forward me documentation guide for installing iptables patch-o-matic? - Rio.Martin - ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] Limit number of connections
Pada 23-Sep-2003, Rio Martin menulis: On Tuesday 23 September 2003 12:51, [EMAIL PROTECTED] wrote: Hello Rio, Tuesday, September 23, 2003, 5:42:03 AM, you wrote: Or you can use patch-o-matic connlimit + MARK. This adds CONFIG_IP_NF_MATCH_CONNLIMIT match allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Yes, this is good, but i havent tried iptables patch-o-matic before.. Could you forward me documentation guide for installing iptables patch-o-matic? I think, what Rio asked you to do is to forward the documentation guide of patch-o-matic to the list, since me and probably some of other listers also want to make some tries on it TIA aqil ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] Limit number of connections
Hello again, I have a router/nat linux box. I managed to create some HTB classes and everything is OK. When perople are usig download managers like FlashGet and DAP (multiple connection ones), the ceil limiting works okay, but the rate parameter is somehow useles... The guaranteed bandwidth is never reached. So what can I do to limit the number of connections/computer? I want to make sure that they do not use more than one connection for the download manager. Thanks in advance ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re[2]: [LARTC] Limit number of connections
Hello Rio, Tuesday, September 23, 2003, 5:42:03 AM, you wrote: Or you can use patch-o-matic connlimit + MARK. This adds CONFIG_IP_NF_MATCH_CONNLIMIT match allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Examples: # allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT But i am not sure, it is perfomant solution. RM On Monday 22 September 2003 21:21, Mihai Vlad wrote: Hello again, I have a router/nat linux box. I managed to create some HTB classes and everything is OK. When perople are usig download managers like FlashGet and DAP (multiple connection ones), the ceil limiting works okay, but the rate parameter is somehow useles... The guaranteed bandwidth is never reached. So what can I do to limit the number of connections/computer? I want to make sure that they do not use more than one connection for the download manager. Thanks in advance RM Actually this is not Bandwidth Limiter task, RM this is could be handled by your proxy, like Squid. Check the configuration RM and enable maxconn ACL for file types: .exe .tar.gz .zip .iso .. etc .. RM - Rio.Martin - RM ___ RM LARTC mailing list / [EMAIL PROTECTED] RM http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ -- Best regards, Denismailto:[EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
