Hi I am trying to apply the nft rule to limit the connections on
opernsearch port 9200.
I successfully limit the number of connections for SSH port. used
following rule to limit the same
Following rules are applied on server side machines(opensearch and sshd)
~] cat rule.nft
{
flush ruleset
table ip filter {
set test-22-count-meter {
type ipv4_addr
size 65535
flags dynamic
}
chain INPUT {
type filter hook input priority filter - 5; policy drop;
ct state new tcp dport 22 update @test-22-count-meter
{ ip saddr & 255.255.255.0 ct count over 5 } counter packets 0 bytes
0 reject
iifname "eth0" tcp dport 22 counter packets 0 bytes 0 accept
}
----
----
}
}
Same thing, I am trying to limit the connections for port 9200, but it
seems the rule is not behaving properly, it is blocking connection
(zero connection accepted).
~] cat rule.nft
{
flush ruleset
table ip filter {
set test-9200-count-meter {
type ipv4_addr
size 65535
flags dynamic
}
chain INPUT {
type filter hook input priority filter - 5; policy drop;
ct state new tcp dport 9200 update
@test-9200-count-meter { ip saddr & 255.255.255.0 ct count over 5 }
counter packets 0 bytes 0 reject
iifname "eth0" tcp dport 9200 counter packets 0 bytes 0 accept
}
----
----
}
}
Am I missing any kernel modules which should be enabled, or following
some wrong format?
Also, when ESTABLISH it holds the connections though clients are disconnected.
--
--Regards
Vishwanath
