Re: Strategy for penalising IPs with too many simultaneous sessions

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> What I would like to do instead is allow the user to use any protocol 
> they like, with the caveat that attempting to open many connections 
> simultaneously will result in a steadily decreasing share of the pipe, 
> rather than a steadily increasing one.

I solved this in a similar but slightly different way. I use connlimit
to monitor for when a user has 5 or more connections on ports above
1024. When they have, they are dropped into an ipset; all their traffic
is then monitored and any traffic on ports above 1024 is dropped to a
very low priority.

This has the advantage that web browsing they do is unaffected. Also,
it's slightly safer than your proposed method - I have seen instances
when just normal surfing of the web can create 5 connections or more.

Something like this (eth0 is the user's network):

iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 1024: -m \
connlimit --connlimit-above 5 -j SET --add-set p2p src

iptables -t mangle -A FORWARD -o eth0 -p tcp -m multiport --sport \
1024:65535 -m set --set p2p dst -j MARK --set-mark 60

iptables -t mangle -A FORWARD -i eth0 -p tcp -m multiport --dport \
1024:65535 -m set --set p2p src -j MARK --set-mark 60

You'll have to compile your kernel with ipset and connlimit support.

Andy Beverley


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux