[Nottingham] Linux number of forwarded net connections limit

notlug notlug at pendinas.org.uk
Wed Oct 12 13:34:26 UTC 2011


On 12/10/11 11:58, Martin wrote:
> Sergiusz,
>
> On 12 October 2011 10:29, Sergiusz Pawlowicz<sergiusz at pawlowicz.name>  wrote:
>> martin, imho limiting amount of concurrent connections is rather
>> against the idea of tcp/ip, and to be honest, i cannot understand what
>> precisely you want to achieve? is it a theoretical game or you want to
>> do something practically, eg. limit bandwidth?
> For a home worker, I'm trying to make use of their 'poorly
> implemented' ADSL modem-router whereby just two users surfing the web
> can cause the thing to crash! My best guess is that it falls over with
> too many connections. Too small a NAT table?... Hence I'm wanting to
> see if I can insert a linux box to act as a gateway to limit the max
> number of connections. A second problem is that one of those users
> chokes everything up with torrents.
>

iptables can be do this sort of thing (man iptables, search for connbytes,connlimit,connmark,conntrack etc).
I've used it in the past to generate an automatic iptables blacklists of IP addresses which were being used to
look for vulnerable ssh accounts on a server - and acting as a DoS to boot.
In a bridge configuration you need to use the FORWARD chain.

I suggest you start by logging first,
eg: iptables -A FORWARD -s <the bad guy> -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j LOG ...

until you understand what the impact of your limiting rules will be.  Limiting web connections sounds great
until you discover your system update uses lot (where lots == a stupid number) of http connections and is
now falling over because you set the limit too low :)

Personally I would start with:
Are there any firware updates ? -> Yes -> Apply them first.
  |
No
  |
Are you stuck the ADSL router ?  No -> replace it.
  |
Yes
  |
Put a spare hub/router (or an openwrt compatible one if I you have to buy new) between the ADSL router
and the home network.  The openwrt box will provide DHCP+NAT for the internal network and the
ADSL router will only have to deal with the "connection" from the openwrt box.  If that didn't fix the problem
then I'd pop open openwrt and mess with iptables therein.  But as above I would start logging everything
so I could (hopefully) identify the conditions under which the ADSL router went belly up.


Have fun,
Duncan



More information about the Nottingham mailing list