Re: Conntrack : limit number of NEW outgoing connections per source IP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 2011-01-15 09:21, Jan Rovner wrote:

>Hello,
>
>I have many computers behind a SNAT router (gateway to internet). All 
>internal Computers have assigned private IP adressess in 192.168.0.0/16 
>range.
>
>I have two questions:
>
>1) I would like to limit the RATE of newly established connections 
>initiated by Computers, i.e. connections with NEW state in kernel 
>conntrack. The important points:
>Is there any suitable iptables "smart" solution for achieving this?

Quite easy.

	-i internalnetwork -m conntrack --ctstate NEW,RELATED
	-m hashlimit --hashlimit-above X/Y
	--hashlimit-mode srcip -j REJECT

>2) Is it possible in similar way to limit a TOTAL NUMBER of
>established (assured) connections per source IP?

	-i internalnetwork -m conntrack --ctstate NEW,RELATED
	-m connlimit --connlimit-above Z -j REJECT
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux