Página 1 de 1

How to use CONLIMIT to limit connections

MensagemEnviado: Qua Nov 26, 2008 7:30 pm
por Lelouch
Original by: cemaraya el Dom Ene 27, 2008 3:16 pm
Translated by: rinrinrenacuajo

Vea la version en español haciendo clic aquí.

After investigations here in the forum, about rules to how to can I control the amount of open connections, I got a set of rules that I'm using today with a full functionality.
These rules are designed to control P2P connections, this mean that the users can open hundreds of connections HTTP, SMTP, DNS, POP3 (all below 1024).
To do this, you must be log in to brazilfw webadmin, an go to "Advanced Firewall Configuration" select "Edit Custom Firewall Rules" and go to the end:


# limit of connections
iptables -t mangle -F CONNLIMIT
iptables -t mangle -D POSTROUTING -p TCP -d 0/0 --dport 1024:1862 -j CONNLIMIT
iptables -t mangle -D POSTROUTING -p TCP -d 0/0 --dport 1864:65535 -j CONNLIMIT
iptables -t mangle -X CONNLIMIT
iptables -t mangle -N CONNLIMIT
iptables -t mangle -A POSTROUTING -p TCP -d 0/0 --dport 1024:1862 -j CONNLIMIT
iptables -t mangle -A POSTROUTING -p TCP -d 0/0 --dport 1864:65535 -j CONNLIMIT
iptables -t mangle -A CONNLIMIT -p TCP -m state ! --state RELATED -m connlimit --connlimit-above 10 --connlimit-mask 32 -j DROP


Explanation about the code lines:

iptables -t mangle -F CONNLIMIT
# Let a flush in the Chain rules of CONNLIMIT.

iptables -t mangle -D POSTROUTING -p TCP -d 0/0 --dport 1024:1862 -j CONNLIMIT
# Send the shutdown sign to the rule to prevent the cloned of rule when the firewall is reload.

iptables -t mangle -D POSTROUTING -p TCP -d 0/0 --dport 1864:65535 -j CONNLIMIT
# It means the same as the previous rule

iptables -t mangle -X CONNLIMIT
# Excludes the chain of CONNLIMIT

iptables -t mangle -N CONNLIMIT
# This creates a Chain CONNLIMIT

iptables -t mangle -A POSTROUTING -p TCP -d 0/0 --dport 1024:1862 -j CONNLIMIT
# It alert to chain POSTROUTING about port of a connection is over 1024 until 1862, and this connection must be redirect to chain CONNLIMIT

iptables -t mangle -A POSTROUTING -p TCP -d 0/0 --dport 1864:65535 -j CONNLIMIT
# "It means the same as the previous rule, but over 1864 until 65535 ports

iptables -t mangle -A CONNLIMIT -p TCP -m state ! --state RELATED -m connlimit --connlimit-above 10 --connlimit-mask 32 -j DROP
# It add a rule to the chain CONNLIMIT, this indicate that when an amount of connections is major of of 10, in one IP, then the pack are discarded (DROP)

This rules are aplicable in each ip separately, but if you want apply this rules for all network, write this:
iptables -t mangle -A CONNLIMIT -p TCP -m state ! --state RELATED -m connlimit --connlimit-above 10 --connlimit-mask 24 -j DROP

CAUTION: the previus rule, only let 10 concurrent connections in the interval of ports at same time.

For example:

# A) To limit connections for the complete network
iptables -t mangle -F CONNLIMIT
iptables -t mangle -D POSTROUTING -p TCP -d 0/0 --dport 1024:1862 -j CONNLIMIT
iptables -t mangle -D POSTROUTING -p TCP -d 0/0 --dport 1864:65535 -j CONNLIMIT
iptables -t mangle -X CONNLIMIT
iptables -t mangle -N CONNLIMIT
iptables -t mangle -A POSTROUTING -p TCP -d 0/0 --dport 1024:1862 -j CONNLIMIT
iptables -t mangle -A POSTROUTING -p TCP -d 0/0 --dport 1864:65535 -j CONNLIMIT
iptables -t mangle -A CONNLIMIT -p TCP -m state ! --state RELATED -m connlimit --connlimit-above 10 --connlimit-mask 24 -j DROP

# B) To limit the IP x IP connection
iptables -t mangle -F CONNLIMIT
iptables -t mangle -D POSTROUTING -p TCP -d 0/0 --dport 1024:1862 -j CONNLIMIT
iptables -t mangle -D POSTROUTING -p TCP -d 0/0 --dport 1864:65535 -j CONNLIMIT
iptables -t mangle -X CONNLIMIT
iptables -t mangle -N CONNLIMIT
iptables -t mangle -A POSTROUTING -p TCP -d 0/0 --dport 1024:1862 -j CONNLIMIT
iptables -t mangle -A POSTROUTING -p TCP -d 0/0 --dport 1864:65535 -j CONNLIMIT
iptables -t mangle -A CONNLIMIT -p TCP -m state ! --state RELATED -m connlimit --connlimit-above 10 --connlimit-mask 32 -j DROP

# C) To limit connections in all ports
iptables -t mangle -F CONNLIMIT
iptables -t mangle -D POSTROUTING -p TCP -d 0/0 -j CONNLIMIT
iptables -t mangle -X CONNLIMIT
iptables -t mangle -N CONNLIMIT
iptables -t mangle -A POSTROUTING -p TCP -d 0/0 -j CONNLIMIT
iptables -t mangle -A CONNLIMIT -p TCP -m state ! --state RELATED -m connlimit --connlimit-above 10 --connlimit-mask 32 -j DROP

CAUTION!: DON'T USE ALL BEFORE RULES AT THE SAME TIME, SELECT ONLY ONE OPTION: A o B o C !!!

Important!:
You must be have installed the "Advanced Router" add-on.
Addon: http://www.brazilfw.com.br/downloads/ad ... vroute.tgz

Edited 5/7/08
If for any reason, the rules occur error, please, put the following text before the each rule:
/usr/sbin/iptables -t mangle -F CONNLIMIT
/usr/sbin/iptables -t mangle -X CONNLIMIT
.... etc