IPLIMIT ?

[Jerome Petazzoni]

> HI, I badly require to control the no. of conns per host to a server.
[...]
> iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.1.25 -p tcp --syn
> --dport 25 -m iplimit --iplimit-above 2 -j REJECT

well, as it was already pointed before, such a rule will limit the
whole 192.168.10.0/24 subnet, not each IP address in it.

currently, I don't know of any easy way of doing what you want
with iptables, except creating one rule per IP address - which is
very ugly, especially when you have thousands of IP addresses,
and a few dozens of rules...

another way would be to write a iplimit derivative, working with
conntracking, and enforcing the limits by IP address.

IMHO, the better thing would be to devise a new system in 
iptables, allowing "partition" of connections ; i.e. you could
specify "separate by src IP address", "separate by dst TCP port",
or suchlike ; and then, specify a target or match to be dynamically
applied to each "partition" thus created.

as this would imply a new concept in the netfilter framework,
I don't expect such functionality to come up before 2.5.X kernels :-)

in the meanwhile, a similar functionality might be achieved by
a match creating new rules on the fly (i.e., a packet comes thru 
the "partition" match ; the match checks whether it has already
met a packet belonging to this "partition" ; if it is the case, 
nothing is done ; else, a rule is dynamically created - say, appended
in a special chain).

I'm not familiar with netfilter internals ; but from the outside,
when some NAT occurs, it creates a kind of dynamic "rule" 
somewhere to mangle IP addresses (+ ports), so it should be 
possible to create a kind of dynamic rule somewhere to control/
mangle other things ...

regards,
Jerome Petazzoni <skaya at enix dot org>