What we have is a server that makes as many connections to an application as it can. Its supposed to be a realtime app, so this is desired behaviour. Unfortunatly, the app is owned by a different group that can't seem to get a grip on how much hardware they need. So we max them out, and their solution when they hit too many connections is to allow the port to be opened by the client (us) but never send any data or a RST or anything! So my server ends up with tens of thousands of connections in wait and I end up running out of threads pretty quickly. So my thought was by putting an iptables box in the stream with iplimit and either redirecting connections that go over a max count to a "sorry we're busy page" or denying the connection all together, I can save my machine until they get the hardware they need. Is their perhaps a better method? Right now I have to babysit my servers from 8pm to 3am and kill the route to their application when things get ugly. Pretty nasty solution. -- Jason Baker baker@cyborgworkshop.com www.cyborgworkshop.com On Thu, 27 Feb 2003, Arnt Karlsen wrote: > On Thu, 27 Feb 2003 02:01:04 -0500, > Joel Newkirk <netfilter@newkirk.us> wrote in message > <200302270201.04762.netfilter@newkirk.us>: > > > On Wednesday 26 February 2003 06:57 pm, Jason wrote: > > > > > > iptables -A FORWARD -p tcp -i lan -m state --state NEW -m iplimit > > > --iplimit-above 1 -j REJECT > > ..<snip> > > > Definitely the FORWARD chain, OUTPUT is for connections from the > > firewalling box itself. Make sure this appears before any ACCEPT > > rules in your FORWARD chain, too. Have you tried: > > > > iptables -A FORWARD -i eth0 -p tcp --syn --dport 80 -m iplimit > > --iplimit-above 500 -j REJECT > > > > This is almost precisely the format of the example rule for iplimit... > > I noticed you used "-i lan" above - is that a typo? You have to > > specify a valid interface name, which my version presumes is eth0 for > > traffic from the LAN. > > > > .." -i $lan "? AFAICT, above rule is valid if "lan" is a substitute > for an ip address etc, for a variable, you will want to declare it, > some people like CAPS, for, say, " -i $LAN ", YMMV. > > ..you don't mention _why_ your suits want this. Using un-throttled > 802.11 links with some _cheap_ routers that rebooted! every time > they got 256 simultaneous connections for a client, I started with > throttling, then capping connections, and ended up wrapping all his > isp clients in vpn/poptop tunnels. Poptop, because some people > still runs Wintendo 95, and my client like this business too. > > ..yup, my first client is an isp. ;-) > >
