what I am doing wrong?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am trying to limit the number of tcp connections each IP can keep
ESTABLISHED at any given time. Checking ip_conntrack file, I notice that
connlimit is not working. All connlimit rules are before NAT rules. What I
am doing wrong?

Any help will be appreciated

-Carlos


modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_limit
modprobe ipt_state

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -N CONNLIMIT

iptables -A FORWARD -p TCP -d 0/0 --dport 1024:1862 -j CONNLIMIT
iptables -A FORWARD -p TCP -d 0/0 --dport 1864:3127 -j CONNLIMIT
iptables -A FORWARD -p TCP -d 0/0 --dport 3129:5599 -j CONNLIMIT
iptables -A FORWARD -p TCP -d 0/0 --dport 5601:5899 -j CONNLIMIT
iptables -A FORWARD -p TCP -d 0/0 --dport 5901:7776 -j CONNLIMIT
iptables -A FORWARD -p TCP -d 0/0 --dport 7778:65535 -j CONNLIMIT
iptables -A CONNLIMIT -p TCP -m state ! --state RELATED -m connlimit
--connlimit-above 12 --connlimit-mask 32 -j DROP


# iptables -L
... deleted ...
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:1024:techra-server
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:paradym-31port:ctx-bridge
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:netport-id:esinstall
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:esmagent:5899
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:5901:7776
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:interwise:65535

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain CONNLIMIT (6 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            state
INVALID,NEW,ESTABLISHED,UNTRACKED #conn/32 > 12





  _____  

avast! Antivirus <http://www.avast.com> : Outbound message clean. 


Virus Database (VPS): 000704-1, 22/01/2007
Tested on: 22/1/2007 15:11:59
avast! - copyright (c) 2000-2007 ALWIL Software.





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux