On 09 Jan 14, at 03:49 , Artūras Šlajus wrote:
Peter Renzland wrote:
I would also like to count connections (those that have been
tracked), just like the packets and bytes that have been moved.
Can someone please show me how that can be done?
New connections? -m state --state NEW should work.
I *finally* figured this out. :-)
At first I thought that this could only count packets and bytes, but I
want to count connections, not packets and bytes. Well, since each
connection is started by exactly one packet, the number of such
packets is the number of connections that I seek. Very clever.
Thanks!!!
So, to count all connections:
iptables -N conncount
iptables -I FORWARD -j conncount
iptables -A conncount -m state --state NEW
And I can even count over-limit connection attempts:
iptables -N connover
iptables -I FORWARD -p tcp --syn -m iprange --src-range $IP1-$IP2 -m
connlimit --connlimit-above 100 -j connover
iptables -I FORWARD -p ! tcp -m iprange --src-range $IP1-$IP2 -m
connlimit --connlimit-above 50 -j connover
iptables -A connover -j REJECT
Does that look about right?
(Do I really need that "--syn"?)
Thanks.
Peter
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
