[Nottingham] Linux number of forwarded net connections limit

Martin martin at ml1.co.uk
Wed Oct 12 14:10:43 UTC 2011

> iptables can be do this sort of thing (man iptables, search for
> connbytes,connlimit,connmark,conntrack etc).

Thanks for that. Looks to be exactly the trick.

> I suggest you start by logging first,
> eg: iptables -A FORWARD -s <the bad guy> -p tcp --syn --dport 23 -m
> connlimit --connlimit-above 2 -j LOG ...
> until you understand what the impact of your limiting rules will be.
>  Limiting web connections sounds great
> until you discover your system update uses lot (where lots == a stupid
> number) of http connections and is
> now falling over because you set the limit too low :)

Mmmm... I'll try logging a 'typical' Windows update to see what that
does... (Might not be the torrenting after all...)

> Personally I would start with:
> Are there any firware updates ? -> Yes -> Apply them first.
>  |
> No
>  |
> Are you stuck the ADSL router ?  No -> replace it.
>  |
> Yes
>  |
> Put a spare hub/router (or an openwrt compatible one if I you have to buy
> new) between the ADSL router
> and the home network.  The openwrt box will provide DHCP+NAT for the
> internal network and the
> ADSL router will only have to deal with the "connection" from the openwrt

Good points thanks. I'm puzzling through how best to minimise hassling
an already disgruntled user... Hence the hope for a plug'n'work

(Amazing how people get upset about intermittent connections...)

> box.  If that didn't fix the problem
> then I'd pop open openwrt and mess with iptables therein.  But as above I
> would start logging everything
> so I could (hopefully) identify the conditions under which the ADSL router
> went belly up.

I'm hoping not to have to do take the time to go that deep...

I've got a spare ADSL modem I know works. If I can get the ADSL
details, then I could send that preconfigured with a wrt54...

And... The dd-wrt distro looks very good.

However, for the sake a laziness (and rather, lack of time), anyone
any experience of how well the non-linux-flashed wrt54 works for QoS
and NAT?


More information about the Nottingham mailing list