On Saturday 2011-01-15 09:21, Jan Rovner wrote: >Hello, > >I have many computers behind a SNAT router (gateway to internet). All >internal Computers have assigned private IP adressess in 192.168.0.0/16 >range. > >I have two questions: > >1) I would like to limit the RATE of newly established connections >initiated by Computers, i.e. connections with NEW state in kernel >conntrack. The important points: >Is there any suitable iptables "smart" solution for achieving this? Quite easy. -i internalnetwork -m conntrack --ctstate NEW,RELATED -m hashlimit --hashlimit-above X/Y --hashlimit-mode srcip -j REJECT >2) Is it possible in similar way to limit a TOTAL NUMBER of >established (assured) connections per source IP? -i internalnetwork -m conntrack --ctstate NEW,RELATED -m connlimit --connlimit-above Z -j REJECT -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
