Thu, 10 Jan 2002 11:12:25 +0100 (CET)
> HI, I badly require to control the no. of conns per host to a server.
> iptables -A FORWARD -s 192.168.10.0/24 -d 192.168.1.25 -p tcp --syn
> --dport 25 -m iplimit --iplimit-above 2 -j REJECT
well, as it was already pointed before, such a rule will limit the
whole 192.168.10.0/24 subnet, not each IP address in it.
currently, I don't know of any easy way of doing what you want
with iptables, except creating one rule per IP address - which is
very ugly, especially when you have thousands of IP addresses,
and a few dozens of rules...
another way would be to write a iplimit derivative, working with
conntracking, and enforcing the limits by IP address.
IMHO, the better thing would be to devise a new system in
iptables, allowing "partition" of connections ; i.e. you could
specify "separate by src IP address", "separate by dst TCP port",
or suchlike ; and then, specify a target or match to be dynamically
applied to each "partition" thus created.
as this would imply a new concept in the netfilter framework,
I don't expect such functionality to come up before 2.5.X kernels :-)
in the meanwhile, a similar functionality might be achieved by
a match creating new rules on the fly (i.e., a packet comes thru
the "partition" match ; the match checks whether it has already
met a packet belonging to this "partition" ; if it is the case,
nothing is done ; else, a rule is dynamically created - say, appended
in a special chain).
I'm not familiar with netfilter internals ; but from the outside,
when some NAT occurs, it creates a kind of dynamic "rule"
somewhere to mangle IP addresses (+ ports), so it should be
possible to create a kind of dynamic rule somewhere to control/
mangle other things ...
Jerome Petazzoni <skaya at enix dot org>