On 4/22/06, robee <mlody@xxxxxxxxx> wrote: > maybe this way: > > iptables -I FORWARD -p tcp --syn -s 10.10.2.96/27 -m > connlimit --connlimit-above 20 -j REJECT > > or > > iptables -I FORWARD -p tcp --syn -m iprange --src-range > 10.10.2.96-10.10.2.127 -m connlimit --connlimit-above 20 -j REJECT Those both still allow one IP to use up all the connections, leaving none for the others. To do this, the connlimit module would have to keep track of individual conntracks, not just aggregate numbers. It doesn't right now, but it could be made to do so. -- Toby DiPasquale 0x636f6465736c696e67657240676d61696c2e636f6d
