I presume this is exactly what you are asking? From... patch-o-matic/base/iplimit.patch.help Author: Gerd Knorr <kraxel@bytesex.org> Status: ItWorksForMe[tm] This adds CONFIG_IP_NF_MATCH_IPLIMIT match allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Examples: # allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m iplimit --iplimit-above 2 -j REJECT # you can also match the other way around: iptables -p tcp --syn --dport 23 -m iplimit ! --iplimit-above 2 -j ACCEPT # limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m iplimit --iplimit-above 16 \ --iplimit-mask 24 -j REJECT Good luck - Alex. On Fri, 2003-01-03 at 16:47, Daniel Fenert wrote: > Is there a simple way to limit number of connection coming from particular > client (ip address or subnet)? > I've searched through archive, and found only some patch to CVS version > of netfilter (it was year 2000)... > > I've got problem with a few clients, they' are able to make 200+ > connections on 128Kbit connection (according to /proc/net/ip_conntrack) > > I thought about it today for a few minutes, and came with the idea: > 1) Parse /proc/net/ip_conntrack and get clients with more than xxx > connections > 2) Setup rule to DROP NEW,RELATED to force them to close some connections > 3) wait a minute, go to 1) checking additionally number of connections > for blocked IP's. If number drops below xxx, delete rule DROP NEW,... > This is ugly, but possibly will work. > > I hope that there's better way to do it?
