Hi list,
I have problems with connlimit module. I am trying to limit the total connections established and other limit above to p2p connections.
My machine is working as a transparent bridge with QoS as follow:
LAN ------------------------eth1[Bridge]eth0-----------------------------router -------------------------INTERNET
Kernel 2.6.8-1 with POMng , wrr and imq pathed.
The iptables and kernel modules load perfectly, or it seems.
I have HTB queue to incomming traffic from internet and an imq queue to outgoing traffic.
I HAVE A FEW QUESTIONS.
( In SHAPER-IN and SHAPER-OUT i have put a few rules for intercept the traffic)
1- Is correct to put HTB queue to outgoing traffic and an imq queue to outgoing or it´s the oppsite.??????
2- I have put to main rules to intercept the incomming and outgoing traffic.
For Incomming traffic i put in PREROUTING in mangle chain
$IPTABLES -t mangle -I PREROUTING -m physdev --physdev-in eth0 -j SHAPER-IN
For outgoing traffic i put in POSTROUTING in mangle chain
$IPTABLES -t mangle -I POSTROUTING -m physdev --physdev-out eth0 -j IMQ --todev 0
$IPTABLES -t mangle -I POSTROUTING -m physdev --physdev-out eth0 -j SHAPER-OUT
( I don´t know why i have to redirect to IMQ and SHAPER-OUT )
Is correct to put these two main rules there?????????????
3- The connlimit module doesn´t work with ipp2p module althoug this rule get correctly
$IPTABLES -I FORWARD -t mangle -p tcp -m state --state ESTABLISHED,RELATED -m connlimit --connlimit-above 100 -j DROP
I am not very happy with this rule because the machines can established a few connections more than i put.
I can see over 200 connections cross the bridge in /proc/net/ip_conntrack.
Its true that it get a moment that nobody can established a connection, but I donn´t want that, I only want to limit p2p connections and a global limit, but with a high limit to always permit normal traffic.
And this rule got me an error:
$IPTABLES -I FORWARD -t mangle -p tcp -m ipp2p --ipp2p -m connlimit --connlimit-above 100 -j DROP
( I have put other rules like this but with mark module instead connlimit, and it load correctly).
Is there someone that had configured a machine like this?
Thanks a lot, i promise to upload a How-to when i finished this long challenge.
Here are my rules, if someone wants to read them.
hain PREROUTING (policy ACCEPT)
target prot opt source destination
SHAPER-IN all -- anywhere anywhere PHYSDEV match --physdev-in eth0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere state RELATED,ESTABLISHED #conn/32 > 100
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SHAPER-OUT all -- anywhere anywhere PHYSDEV match --physdev-out eth0
IMQ all -- anywhere anywhere PHYSDEV match --physdev-out eth0 [4 bytes of unknown target data]
Chain SHAPER-IN (1 references)
target prot opt source destination
RETURN all -- 172.16.0.0/24 anywhere
MARK udp -- anywhere anywhere MARK set 0x1e
MARK udp -- anywhere anywhere MARK set 0x1e
MARK icmp -- anywhere anywhere MARK set 0x1e
MARK tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/ACK MARK set 0x1e
MARK tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/ACK length 0:128 TOS match !Normal-Service MARK set 0x1e
MARK tcp -- anywhere anywhere TOS match Minimize-Delay MARK match 0x0 MARK set 0x1e
MARK tcp -- anywhere anywhere tcp spts:ssh:telnet MARK set 0x1e
MARK tcp -- anywhere anywhere tcp dpts:ssh:telnet MARK set 0x1e
MARK tcp -- anywhere anywhere TOS match !Minimize-Delay tcp spt:ssh MARK set 0x1f
MARK tcp -- anywhere anywhere TOS match !Minimize-Delay tcp dpt:ssh MARK set 0x1f
CONNMARK tcp -- anywhere anywhere CONNMARK match 0x1f CONNMARK restore
CONNMARK tcp -- anywhere anywhere ipp2p v0.7.1 --ipp2p CONNMARK set 0x1f
CONNMARK tcp -- anywhere anywhere ipp2p v0.7.1 --ipp2p-data CONNMARK set 0x1f
MARK all -- anywhere anywhere MARK match 0x0 MARK set 0x1f
Chain SHAPER-OUT (1 references)
target prot opt source destination
RETURN all -- anywhere 172.16.0.0/24
MARK icmp -- anywhere anywhere MARK set 0x15
MARK tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/ACK MARK set 0x15
MARK tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/ACK length 0:128 TOS match !Normal-Service MARK set 0x15
MARK tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/ACK length 128:65535 MARK set 0x1d
MARK udp -- anywhere anywhere MARK set 0x18
MARK tcp -- anywhere anywhere TOS match Minimize-Delay MARK match 0x0 MARK set 0x17
MARK tcp -- anywhere anywhere tcp spts:ssh:telnet MARK set 0x16
MARK tcp -- anywhere anywhere tcp dpts:ssh:telnet MARK set 0x16
MARK tcp -- anywhere anywhere tcp spt:www MARK set 0x1a
MARK tcp -- anywhere anywhere tcp dpt:www MARK set 0x1a
MARK tcp -- anywhere anywhere tcp spt:smtp MARK set 0x1b
MARK tcp -- anywhere anywhere tcp dpt:smtp MARK set 0x1b
MARK tcp -- anywhere anywhere TOS match Maximize-Throughput MARK set 0x1c
MARK tcp -- anywhere anywhere TOS match Minimize-Cost MARK set 0x1c
CONNMARK tcp -- anywhere anywhere CONNMARK match 0x1d CONNMARK restore
CONNMARK tcp -- anywhere anywhere ipp2p v0.7.1 --ipp2p CONNMARK set 0x1d
CONNMARK tcp -- anywhere anywhere ipp2p v0.7.1 --ipp2p-data CONNMARK set 0x1d
CONNMARK udp -- anywhere anywhere CONNMARK match 0x1d CONNMARK restore
CONNMARK udp -- anywhere anywhere ipp2p v0.7.1 --ipp2p CONNMARK set 0x1d
CONNMARK udp -- anywhere anywhere ipp2p v0.7.1 --ipp2p-data CONNMARK set 0x1d
MARK tcp -- anywhere anywhere TOS match !Minimize-Delay tcp spt:ssh MARK set 0x1c
MARK tcp -- anywhere anywhere TOS match !Minimize-Delay tcp dpt:ssh MARK set 0x1c
MARK all -- anywhere anywhere MARK match 0x0 MARK set 0x1b
