similar to: Conntrack table full and Heavy p2p loaded traffic manager ...

Hi all, i need advice how can i limit ip_conntrack per IP. clients of network that i support often uses torrent , DC++ , eMule clients and i have lost packages because they open too many ports. i have traffic control limits but this obviously isn''t enough Any advance how to prevent server from this kind problems will be welcome. Best regards Emil

Hello, I''ve tried to change ipt_conntrack hashsize and con under my debian charge but doesn''t work ! Ive got 2876Mb available for conntrack so I''ve done (according to some previous mail and this http://www.wallfire.org/misc/netfilter_conntrack_perf.txt) CONNTRACK_MAX = 2876 * 64 = 184064 HASHSIZE = 2876 * 8 = 23002 But the near power of 2 is 2^16 = 131072

After varying degrees of success with p2p detection modules, I would like to write the following rules using iptables to reliably identify p2p traffic: 1. If a host on the network has 5 or more simutaneous tcp connections to ports above 1024, mark all connections to ports 1024 and above as 60. 2. If a host has received (or sent) UDP packets from 5 different hosts'' ports above 1024 in a

Hi I believe that whole question is in topic. Is there any way to recognize ( and then shape ) p2p traffic which is encrypted? Modern p2p clients have this ability moreover some of them have this enabled by default. Now I''m using ipp2p for iptables but as I know this doesn''t recognize encrypted traffic. Thanks in advance. Pozdrawiam Szymon Turkiewicz

Hi, my ip_conntrack table is filling up and now my server is dropping packets. I'm running CentOS release 4.4 (Final) on a fairly busy webserver. The table is full of various connections, including a lot of "ESTABLISHED" tcp connections from my webserver (the src is my webserver ip), and some other random connections to my webserver, and many "ASSURED" connections. So why

Hey guys, I have several Linux routers in place at high-usage locations (student apartment complexes). I''m having trouble with some of the routers which use 6Mbit DSL lines as their Internet feed. The routers use PPPoE and perform NAT. During peak usage periods, the routers are dropping alot of packets. I''m lead to believe this is because there are too many active

Hi, I am not sure if this is the correct destination for this email question, so if not, please can someone direct me to the correct mailing list / user. I need to detect Skype traffic using (I think it can be done) IP2P.on a RH Linux 2.4.20 kernel as well as the later fedora platforms. We have built it into your kernel, but are looking for some help in the matching parameters for skype in

Hello! I''ve read a lot of mail archives, but can''t find solutions for my problem. I have router with about 700 users. I''m using HTB with SFQ leaf qdiscs for every user (client ip). So, different IP can have its own rate limit. This scheme ir working fine for a long time. But how can I limit number of connections (sessions) from one host? I see from ip_conntrack

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=467 mateusz@kaduk.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From mateusz@kaduk.net 2006-10-01

Hi, I have a linux box which balances load between two interfaces ( say WAN1 and WAN2). I have masquerading on for any request coming from LAN to the outside world. The setup is in such a way that WAN1 drops packets with source ip belonging to WAN2''s network and viceversa. For some strange reason, I find that packet coming out from the WAN interface has source address of WAN2 and

xen-3.0.3-94.el5_4.2 2.6.18-164.6.1.el5xen RHEL5.4 x86_64 I''ve got a dom0 that does nothing but have a DomU created. The DomU gets plenty of load. Over time, the dom0''s ipconntrack table fills up but not the DomU. Once it gets full I can restart iptables and it''s fine. The strange thing is this only happens on hosts I have provided (hardware and hosting) from one

Greetings folks, I've been researching the various iptables modules that are included with the stock CentOS4 distro; particularly the connlimit module. Is connlimit included by default? I thought it is since performing # iptables -m connlimit --help returns information on connlimit usage along with the general iptables help info: <SNIP> connlimit v1.2.11 options: [!]

hi, i try use iptables connlimit, # iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j DROP iptables: Unknown error 4294967295 where is problem ? thanks # rpm -qa | grep iptables iptables-1.3.5-4.el5 # uname -a Linux test 2.6.18-92.1.1.el5 #1 SMP Sat Jun 21 19:04:27 EDT 2008 i686 i686 i386 GNU/Linux

https://bugzilla.netfilter.org/show_bug.cgi?id=1463 Bug ID: 1463 Summary: nft --json table list ruleset crashes Product: nftables Version: unspecified Hardware: All OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org

Hi, I have many example of HTB GUI . All is already well developed, which discussed in this link. However, can anyone teach me what software to use to build a own web based GUI HTB software in Fedoracore ( Linux based) ? Thanks Regards Alan _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl

I recompiled yet 2.6.19.1 kernel (using iptables with the same patches too). The configuration for this test is: 1) linux box with 2.6.19.1 kernel (SMP machine) with these patches/modules: a) l7-filter b) ipp2p c) connlimit d) set 2) 4 ethernet interfaces: a) 2 external (eth1 and eth3) interfaces with balanced links (as described in nato-howto) bridged as wan0

Would someone please explain to me the difference in effect between the following two IPTABLES conditions and the significance thereof in concurrent connection limiting? --tcp-flags SYN,ACK,FIN,RST SYN -j REJECT \ --connlimit-above 3 --connlimit-mask 32 --state NEW -j REJECT \ --connlimit-above 3 --connlimit-mask 32 -- *** e-Mail is NOT a SECURE channel *** Do

Hi everyone, I see that shorewall has "ratelimit" but i''m interested in deny conexions by number of them, not by number/sec. Is connlimit feature supported by shorewall? Or maybe someone have an extraofficial patch for them? Regards, Angel Mieres ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT

Hello again, I have a router/nat linux box. I managed to create some HTB classes and everything is OK. When perople are usig download managers like FlashGet and DAP (multiple connection ones), the ceil limiting works okay, but the rate parameter is somehow useles... The guaranteed bandwidth is never reached. So what can I do to limit the number of connections/computer? I want to make sure that

I have just completed the installation of a new firewall running Shorewall 1.4 on Mandrake 9.2 for our campus network. It appears to be running fairly well so far, but is generating significantly more log entries than our previous linux 2.0.x firewall... Our previous firewall enjoyed more than 6 years of 24/7 operation with no downtime before we finally decided it needed more horsepower, and