Re: ip_conntrack limit --- torrent , DC++ , eMule

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

foxy 202 wrote:
> 
> I couldn't find any info how to limit IP to open for example over 200
> ip_conntrack  connections , not only for  single port for  with dport
>  I found connlimit
>     http://netfilter.org/patch-o-matic/pom-base.html#pom-base-connlimit
> 
> but there is port ? I cannot limit hole IP
> 
> How can I prevent network from
> ip_conntrack: table full, dropping packet.
> ip_conntrack: table full, dropping packet.
> Increasing of ip_conntrack_max cannot be without limits??
> 
> Any suggestions are welcome

Use your judgement, but I compiled my 2.4 kernel reducing the
tcp_timeout_established from 5 days to 2 days in
src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c which I personally
think is still far too long.  Any TCP connection that is cca 5 minutes
without activity is DEAD AFAIAC.

Don't forget the Layer 7 stuff.  However, finding something to match
becomes ever more difficult.

Google may help with conntrack_max limit?
--
gypsy

> On 5/17/05, gypsy <gypsy@xxxxxxxxxx> wrote:
> > foxy 202 wrote:
> > >
> > > Hi all,
> > >  i need advice how can i limit ip_conntrack per IP.
> > > clients of network that i support often uses  torrent , DC++ , eMule
> > > clients and i have lost packages  because they open too many ports.
> > >
> > > i have traffic control limits but this obviously isn't enough
> > >
> > > Any advance how to prevent server from this kind problems will be welcome.
> > >
> > > Best regards
> > > Emil
> >
> > The first hit from google on 'netfilter limit per ip'
> > returns:
> >
> > >Try the "dstlimit" match in current versions of netfilter.
> >
> > > Quoting from the man page: "This module allows you to  limit  the  packet  per
> > > second (pps) rate on a per destination IP or per destination port base.  As
> > > opposed to the `limit' match, every  destination ip / destination port has
> > > it's own limit."
> >
> > So what's wrong with YOUR google search?
> > --
> > Gypsy
> >
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux