I agree connlimit is currently the way to go, however I would make two
modifications to the example below.
iptables -t filter -A INPUT -i ${WAN} -d ${WANIPAddress}
-p tcp --syn --dport 3333 -m connlimit --connlimit-above 10
-j REJECT --reject-with tcp-reset
Notice the --syn and -j REJECT. I prefer rejects because if you just drop
the SYN packets most TCP stacks (by RFC) send up to 4 or 5 more to make
sure they got through. You could also send an icmp port unreachable or
something as well.
-Damon-
On Fri, 26 Aug 2005, Taylor, Grant wrote:
Take a look at the connlimit match extension.
iptables -t filter -A INPUT -i ${WAN} -d ${WANIPAddress} -p tcp --dport 3333 -m connlimit --connlimit-above 10 -j DROP
Grant. . . .
Lyubomir Louisov wrote:
So how can i limit the number of connections on port 3333 to no more than 10
at a time with iptable?
Is it posible?
