Dnia 22-04-2006, sob o godzinie 09:15 -0400, Toby DiPasquale napisał(a): > On 4/22/06, robee <mlody@xxxxxxxxx> wrote: > > maybe this way: > > > > iptables -I FORWARD -p tcp --syn -s 10.10.2.96/27 -m > > connlimit --connlimit-above 20 -j REJECT > > > > or > > > > iptables -I FORWARD -p tcp --syn -m iprange --src-range > > 10.10.2.96-10.10.2.127 -m connlimit --connlimit-above 20 -j REJECT > > Those both still allow one IP to use up all the connections, leaving > none for the others. > > To do this, the connlimit module would have to keep track of > individual conntracks, not just aggregate numbers. It doesn't right > now, but it could be made to do so. > > -- > Toby DiPasquale > 0x636f6465736c696e67657240676d61696c2e636f6d > do you mean it shoud be indyvidual rule for each IP separatelly? robee
