Hi all, i need advice how can i limit ip_conntrack per IP. clients of network that i support often uses torrent , DC++ , eMule clients and i have lost packages because they open too many ports. i have traffic control limits but this obviously isn''t enough Any advance how to prevent server from this kind problems will be welcome. Best regards Emil
foxy 202 wrote:> > Hi all, > i need advice how can i limit ip_conntrack per IP. > clients of network that i support often uses torrent , DC++ , eMule > clients and i have lost packages because they open too many ports. > > i have traffic control limits but this obviously isn''t enough > > Any advance how to prevent server from this kind problems will be welcome. > > Best regards > EmilThe first hit from google on ''netfilter limit per ip'' returns:>Try the "dstlimit" match in current versions of netfilter.> Quoting from the man page: "This module allows you to limit the packet per > second (pps) rate on a per destination IP or per destination port base. As > opposed to the `limit'' match, every destination ip / destination port has > it''s own limit."So what''s wrong with YOUR google search? -- Gypsy
foxy 202 wrote:> > I couldn''t find any info how to limit IP to open for example over 200 > ip_conntrack connections , not only for single port for with dport > I found connlimit > http://netfilter.org/patch-o-matic/pom-base.html#pom-base-connlimit > > but there is port I cannot limit hole IP > > How can I prevent network from > ip_conntrack: table full, dropping packet. > ip_conntrack: table full, dropping packet. > Increasing of ip_conntrack_max cannot be without limits > > Any suggestions are welcomeUse your judgement, but I compiled my 2.4 kernel reducing the tcp_timeout_established from 5 days to 2 days in src/linux/net/ipv4/netfilter/ip_conntrack_proto_tcp.c which I personally think is still far too long. Any TCP connection that is cca 5 minutes without activity is DEAD AFAIAC. Don''t forget the Layer 7 stuff. However, finding something to match becomes ever more difficult. Google may help with conntrack_max limit? -- gypsy> On 5/17/05, gypsy <gypsy@iswest.com> wrote: > > foxy 202 wrote: > > > > > > Hi all, > > > i need advice how can i limit ip_conntrack per IP. > > > clients of network that i support often uses torrent , DC++ , eMule > > > clients and i have lost packages because they open too many ports. > > > > > > i have traffic control limits but this obviously isn''t enough > > > > > > Any advance how to prevent server from this kind problems will be welcome. > > > > > > Best regards > > > Emil > > > > The first hit from google on ''netfilter limit per ip'' > > returns: > > > > >Try the "dstlimit" match in current versions of netfilter. > > > > > Quoting from the man page: "This module allows you to limit the packet per > > > second (pps) rate on a per destination IP or per destination port base. As > > > opposed to the `limit'' match, every destination ip / destination port has > > > it''s own limit." > > > > So what''s wrong with YOUR google search? > > -- > > Gypsy > >
i think hashlimit is the new dstlimit with wider capabilities On 5/16/05, foxy 202 <foxy202@gmail.com> wrote:> > Hi all, > i need advice how can i limit ip_conntrack per IP. > clients of network that i support often uses torrent , DC++ , eMule > clients and i have lost packages because they open too many ports. > > i have traffic control limits but this obviously isn't enough > > Any advance how to prevent server from this kind problems will be welcome. > > > > Best regards > Emil > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >-- Miłego Dnia Krystian Antoni _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc