Mark Dueck wrote:
My situation is this: I have 2 direcway (Hughes now) satellites that I'm
sharing out to some clients. I only get about 50 sessions per sat, so
if any one of my clients has limewire or emule open with it's default
sessions set to 300, no one can browse, or it's extremely sluggish.
I had a Hotbrick doing the dual wan, and it had session limiting per IP
address. Now the hotbrick failed on me, and I need something else to
limit the sessions. Just a simple limit of say 15 sessions per IP, or
15 new sessions / second per IP.
Take a look at the connlimit match extension.
connlimit
Allows you to restrict the number of parallel TCP connections to a
server per client IP address (or address block).
[!] --connlimit-above n
match if the number of existing tcp connections is (not) above n
--connlimit-mask bits
group hosts using mask Examples:
# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2
-j REJECT
# you can also match the other way around:
iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2
-j ACCEPT
# limit the nr of parallel http requests to 16 per class C sized network
(24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
--connlimit-mask 24 -j REJECT
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
