NetFilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

what I am doing wrong?

from [Carlos Eduardo R. L. de Miranda] [Permanent Link][Original]
To: <netfilter@lists.netfilter.org>
Subject: what I am doing wrong?
From: "Carlos Eduardo R. L. de Miranda" <cerlm@hotmail.com>
Date: Mon, 22 Jan 2007 15:11:59 -0300
Delivered-to: sp-com-lists@consult.net
Delivered-to: netfilter-list1@securepoint.com
List-archive: </pipermail/netfilter>
List-help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id: General discussion and user questions <netfilter.lists.netfilter.org>
List-post: <mailto:netfilter@lists.netfilter.org>
List-subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Sender: netfilter-bounces@lists.netfilter.org
Thread-index: Acc+UM7EsLAXM/tZSdqzXBlVnV5CZw== 
I am trying to limit the number of tcp connections each IP can keep
ESTABLISHED at any given time. Checking ip_conntrack file, I notice that
connlimit is not working. All connlimit rules are before NAT rules. What I
am doing wrong?

Any help will be appreciated

-Carlos


modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_limit
modprobe ipt_state

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -N CONNLIMIT

iptables -A FORWARD -p TCP -d 0/0 --dport 1024:1862 -j CONNLIMIT
iptables -A FORWARD -p TCP -d 0/0 --dport 1864:3127 -j CONNLIMIT
iptables -A FORWARD -p TCP -d 0/0 --dport 3129:5599 -j CONNLIMIT
iptables -A FORWARD -p TCP -d 0/0 --dport 5601:5899 -j CONNLIMIT
iptables -A FORWARD -p TCP -d 0/0 --dport 5901:7776 -j CONNLIMIT
iptables -A FORWARD -p TCP -d 0/0 --dport 7778:65535 -j CONNLIMIT
iptables -A CONNLIMIT -p TCP -m state ! --state RELATED -m connlimit
--connlimit-above 12 --connlimit-mask 32 -j DROP


# iptables -L
... deleted ...
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:1024:techra-server
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:paradym-31port:ctx-bridge
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:netport-id:esinstall
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:esmagent:5899
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:5901:7776
CONNLIMIT  tcp  --  anywhere             anywhere            tcp
dpts:interwise:65535

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain CONNLIMIT (6 references)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere            state
INVALID,NEW,ESTABLISHED,UNTRACKED #conn/32 > 12





  _____  

avast! Antivirus <http://www.avast.com> : Outbound message clean. 


Virus Database (VPS): 000704-1, 22/01/2007
Tested on: 22/1/2007 15:11:59
avast! - copyright (c) 2000-2007 ALWIL Software.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • what I am doing wrong?, Carlos Eduardo R. L. de Miranda <=
Previous by Date:  Re: What is wrong ???, Gáspár Lajos
Next by Date:  Re: where psd match gone ?, Alan Ezust
Previous by Thread:  problem with hostB wifi0 -> aDSL modem wifi0 -> hostA wifi0 -> hostA eth0 -> hostA ppp0 -> aDSL modem bridge --- Not MASQUERADEing..., unauthorized
Next by Thread:  determine internet connection duration, Ming-Ching Tiew
Indexes:  [Date] [Thread] [Top] [All Lists]