1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Iptables -- How to limit _Inbound_ Connections

Discussion in 'Tomato Firmware' started by Planiwa, Feb 11, 2012.

  1. Planiwa

    Planiwa LI Guru Member

    We have come to know that we can limit UDP connections _from_ a LAN host like this:

    Code:
    iptables -t nat -I PREROUTING -p ! tcp -m iprange --src-range 192.168.0.100-192.168.0.249 -m connlimit --connlimit-above 50 -j DROP
    
    But this has no effect on connection flows that originate from outside (with port-forwarding, including UPnP).

    How can those connections be similarly limited?
    That is the primary question.

    ***

    In addition to connections between a LAN host and a WAN host, there are:

    1. NS Connections between a LAN host and the Router.
    2. NS Connections between the Router and the WAN Nameserver(s).
    3. NS Connections between the Router and itself. These look like:
    Code:
    udp      17 19 src=127.0.0.1 dst=127.0.0.1 sport=61468 dport=53 packets=1 bytes=72 src=127.0.0.1 dst=127.0.0.1 sport=53 dport=61468 packets=1 bytes=104 mark=0 use=1
    
    All of these three connection types are Unclassified.
    Types 2 and 3 are caused by (and imediately follow) type 1, and they can be quite numerous, and they appear in surges.

    Has anyone else observed this, and perhaps found a way of managing it?
    That is the secondary question, which may be more difficult and complex than the first.
     
  2. Porter

    Porter LI Guru Member

    Which Tomato version are you using?

    Are you using QoS?

    What are you trying to achieve? Better security or better download speeds?

    Why would you want to manage DNS requests? What do you mean by "manage"?
     
  3. Planiwa

    Planiwa LI Guru Member

    Than
    Thank you for giving thought to the the questions I raised.

    Of the two questions, the first requires iptables expertise, with an understanding of what happens when a connection to a NATted LAN host is externally initiated (via of port-forwarding). As far as I can tell it is an important question for a serious Tomato administrator, although it is not Tomato-specific. It is the kind of question that has a right answer in the form of an iptables rule. That's what I am looking for.

    ***

    The second is a research question, not looking for a "right answer", but for an informed inquiry -- towards better understanding -- into matter that most practitioners are completely unaware of, just as, at one time, most were unaware of connection storms. I've shared some of my findings and am hoping that others may contribute as well. The results may may lead to an improved Tomato.

    Perhaps I should have made two different threads.

    FWIW:
    Tomato v1.28.7494 MIPSR2-Toastman-VLAN-RT K26 USB VPN-NOCAT
    QoS enabled, usually.
    advanced-dhcpdns.asp: Use_Internal_DNS and Prevent_DNS_Rebind_Attacks are checked. (Defaults)
     
  4. Planiwa

    Planiwa LI Guru Member

    Here is an illustration (note the shifted column headers). UDP connections are limited to 50 by the rule given in the thread origin. So, why does 192.168.0.210 have 146 UDP connections?

    [EDIT: Oh no! When I first pasted the copied display into the message it looked just fine! So, please note that these are the numbers from the "IP Traffic Details" page.

    Upload (bytes/s)
    TCP IN/OUT (pkt/s)
    UDP IN/OUT (pkt/s)
    ICMP IN/OUT (pkt/s)
    TCP Connections
    UDP Connections
    192.168.0.210
    1.87 KB
    1.82 KB
    4/4
    2/3
    0/0
    87
    146
    192.168.0.220
    0.11 KB
    0.25 KB
    1/1
    0/0
    0/0
    6
    17
    192.168.0.103
    0.00 KB
    0.00 KB
    0/0
    0/0
    0/0
    0
    0
    192.168.0.111
    0.00 KB
    0.00 KB
    0/0
    0/0
    0/0
    0
    0
    192.168.0.120
    0.00 KB
    0.00 KB
    0/0
    0/0
    0/0
    0
    0
    192.168.0.121
    0.00 KB
    0.00 KB
    0/0
    0/0
    0/0
    0
    0
    192.168.0.130
    0.00 KB
    0.00 KB
    0/0
    0/0
    0/0
    0
    0
    192.168.0.131
    0.00 KB
    0.00 KB
    0/0
    0/0
    0/0
    0
    0
    192.168.0.230
    0.00 KB
    0.00 KB
    0/0
    0/0
    0/0
    0
    0
    192.168.0.240
    0.00 KB
    0.00 KB
    0/0
    0/0
    0/0
    0
    1
    192.168.0.250
    0.00 KB
    0.00 KB
    0/0
    0/0
    0/0
    0
    0
    192.168.0.251
    0.00 KB
    0.00 KB
    0/0
    0/0
    0/0
    0
    0
    Total (12 hosts)
    1.98 KB
    2.07 KB
    5/5
    3/3
    0/0
    93
    164
     
  5. Porter

    Porter LI Guru Member

    First part:

    I think this rule

    Code:
    iptables -t nat -I PREROUTING -p ! tcp -m iprange --src-range 192.168.0.100-192.168.0.249 -m connlimit --connlimit-above 50 -j DROP
    should look like this:

    Code:
    iptables -t nat -I PREROUTING -p ! tcp -m connlimit --connlimit-above 50 -j DROP
    because external connection attempts will never get matched due to the ip range condition.

    Second part:
    Do you expect connection storms with udp packets originating from you internal network? I don't know whether the above rule already prevents that. Most of the connlimit rules I saw were put into FORWARD or INPUT so you could experiment with these (additionally to the one above). Btw I just found one thread started by you: http://www.linksysinfo.org/index.ph...hallenge-programmers.30611/page-2#post-149785 Didn't this solve your question?

    One thing I would like to add is that in my /etc/iptables there are no rules that limit connections (using Toastman 7632.3)! For some reason this didn't find its way into the Toastman build, although I think this is a reasonable counter measure.

    Third part:
    Concerning the IP Traffic Monitor I have no answer, yet. It's probably best to ask Teaman about this. Maybe the connection monitor only displays some kind of average number.
     
  6. Planiwa

    Planiwa LI Guru Member

    Another data point -- with Porter's rule inserted as well:

    02122121.png

    And here's what some of these connections are: (this is not for casual readers)
    Code:
    < $CT awk ' $1=="udp" && !/ort=53/ {if (substr($4,1,7)!="src=192") {gsub(/src=[0-9.]+/,"src=?");gsub(/dst=[0-9.]+/,"dst=?");print}}'
    udp      17 14 src=? dst=? sport=16165 dport=11078 packets=9 bytes=522 [UNREPLIED] src=? dst=? sport=11078 dport=16165 packets=0 bytes=0 mark=0 use=1
    udp      17 12 src=? dst=? sport=49660 dport=11078 packets=2 bytes=116 [UNREPLIED] src=? dst=? sport=11078 dport=49660 packets=0 bytes=0 mark=0 use=1
    udp      17 168 src=? dst=? sport=27421 dport=11078 packets=27 bytes=2363 src=? dst=? sport=11078 dport=27421 packets=23 bytes=1655 [ASSURED] mark=27263241 use=1
    udp      17 16 src=? dst=? sport=61245 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=61245 packets=0 bytes=0 mark=0 use=1
    udp      17 18 src=? dst=? sport=61985 dport=11078 packets=1 bytes=145 [UNREPLIED] src=? dst=? sport=11078 dport=61985 packets=0 bytes=0 mark=0 use=1
    udp      17 16 src=? dst=? sport=11935 dport=55183 packets=1 bytes=129 src=? dst=? sport=55183 dport=11935 packets=1 bytes=313 mark=27263241 use=1
    udp      17 179 src=? dst=? sport=46746 dport=11078 packets=2352 bytes=2854431 src=? dst=? sport=11078 dport=46746 packets=2009 bytes=108519 [ASSURED] mark=267386889 use=2
    udp      17 17 src=? dst=? sport=64064 dport=11078 packets=8 bytes=464 [UNREPLIED] src=? dst=? sport=11078 dport=64064 packets=0 bytes=0 mark=0 use=1
    udp      17 174 src=? dst=? sport=60613 dport=11078 packets=25 bytes=3468 src=? dst=? sport=11078 dport=60613 packets=17 bytes=2280 [ASSURED] mark=267386889 use=1
    udp      17 9 src=? dst=? sport=13210 dport=11078 packets=6 bytes=348 [UNREPLIED] src=? dst=? sport=11078 dport=13210 packets=0 bytes=0 mark=0 use=1
    udp      17 28 src=? dst=? sport=6672 dport=55183 packets=2 bytes=305 src=? dst=? sport=55183 dport=6672 packets=2 bytes=467 [ASSURED] mark=27263241 use=1
    udp      17 4 src=? dst=? sport=43227 dport=55183 packets=1 bytes=131 src=? dst=? sport=55183 dport=43227 packets=1 bytes=315 mark=27263241 use=1
    udp      17 28 src=? dst=? sport=48308 dport=11078 packets=4 bytes=232 [UNREPLIED] src=? dst=? sport=11078 dport=48308 packets=0 bytes=0 mark=0 use=2
    udp      17 179 src=? dst=? sport=58211 dport=11078 packets=1270 bytes=1598022 src=? dst=? sport=11078 dport=58211 packets=1197 bytes=71532 [ASSURED] mark=267386889 use=3
    udp      17 4 src=? dst=? sport=60575 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=60575 packets=0 bytes=0 mark=0 use=1
    udp      17 24 src=? dst=? sport=40438 dport=11078 packets=7 bytes=406 [UNREPLIED] src=? dst=? sport=11078 dport=40438 packets=0 bytes=0 mark=0 use=1
    udp      17 0 src=? dst=? sport=51702 dport=55183 packets=1 bytes=131 src=? dst=? sport=55183 dport=51702 packets=1 bytes=315 mark=27263241 use=1
    udp      17 26 src=? dst=? sport=47468 dport=11078 packets=7 bytes=406 [UNREPLIED] src=? dst=? sport=11078 dport=47468 packets=0 bytes=0 mark=0 use=1
    udp      17 12 src=? dst=? sport=15102 dport=11078 packets=2 bytes=116 [UNREPLIED] src=? dst=? sport=11078 dport=15102 packets=0 bytes=0 mark=0 use=1
    udp      17 7 src=? dst=? sport=10639 dport=55183 packets=1 bytes=131 src=? dst=? sport=55183 dport=10639 packets=1 bytes=315 mark=27263241 use=1
    udp      17 18 src=? dst=? sport=60709 dport=11078 packets=4 bytes=232 [UNREPLIED] src=? dst=? sport=11078 dport=60709 packets=0 bytes=0 mark=0 use=1
    udp      17 20 src=? dst=? sport=42014 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=42014 packets=0 bytes=0 mark=0 use=1
    udp      17 10 src=? dst=? sport=20651 dport=11078 packets=8 bytes=464 [UNREPLIED] src=? dst=? sport=11078 dport=20651 packets=0 bytes=0 mark=0 use=1
    udp      17 156 src=? dst=? sport=41664 dport=11078 packets=30 bytes=3195 src=? dst=? sport=11078 dport=41664 packets=37 bytes=4458 [ASSURED] mark=267386889 use=1
    udp      17 17 src=? dst=? sport=19996 dport=11078 packets=13 bytes=754 [UNREPLIED] src=? dst=? sport=11078 dport=19996 packets=0 bytes=0 mark=0 use=1
    udp      17 14 src=? dst=? sport=58099 dport=11078 packets=7 bytes=406 [UNREPLIED] src=? dst=? sport=11078 dport=58099 packets=0 bytes=0 mark=0 use=1
    udp      17 14 src=? dst=? sport=14562 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=14562 packets=0 bytes=0 mark=0 use=1
    udp      17 169 src=? dst=? sport=34728 dport=11078 packets=853 bytes=745918 src=? dst=? sport=11078 dport=34728 packets=810 bytes=60668 [ASSURED] mark=267386889 use=1
    udp      17 20 src=? dst=? sport=25323 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=25323 packets=0 bytes=0 mark=0 use=1
    udp      17 27 src=? dst=? sport=22171 dport=11078 packets=7 bytes=406 [UNREPLIED] src=? dst=? sport=11078 dport=22171 packets=0 bytes=0 mark=0 use=2
    udp      17 8 src=? dst=? sport=32792 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=32792 packets=0 bytes=0 mark=0 use=1
    udp      17 3 src=? dst=? sport=63406 dport=11078 packets=7 bytes=406 [UNREPLIED] src=? dst=? sport=11078 dport=63406 packets=0 bytes=0 mark=0 use=1
    udp      17 24 src=? dst=? sport=45718 dport=55183 packets=1 bytes=131 src=? dst=? sport=55183 dport=45718 packets=1 bytes=315 mark=27263241 use=1
    udp      17 7 src=? dst=? sport=45123 dport=11078 packets=2 bytes=116 [UNREPLIED] src=? dst=? sport=11078 dport=45123 packets=0 bytes=0 mark=0 use=1
    udp      17 25 src=? dst=? sport=57276 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=57276 packets=0 bytes=0 mark=0 use=1
    udp      17 28 src=? dst=? sport=12073 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=12073 packets=0 bytes=0 mark=0 use=1
    udp      17 16 src=? dst=? sport=21389 dport=55183 packets=1 bytes=131 src=? dst=? sport=55183 dport=21389 packets=1 bytes=315 mark=27263241 use=1
    udp      17 22 src=? dst=? sport=42872 dport=11078 packets=6 bytes=348 [UNREPLIED] src=? dst=? sport=11078 dport=42872 packets=0 bytes=0 mark=0 use=1
    udp      17 170 src=? dst=? sport=20014 dport=11078 packets=164 bytes=187601 src=? dst=? sport=11078 dport=20014 packets=136 bytes=10072 [ASSURED] mark=27263241 use=1
    udp      17 54 src=? dst=? sport=30037 dport=55183 packets=9 bytes=1361 src=? dst=? sport=55183 dport=30037 packets=9 bytes=2096 [ASSURED] mark=27263241 use=1
    udp      17 9 src=? dst=? sport=21387 dport=11078 packets=2 bytes=116 [UNREPLIED] src=? dst=? sport=11078 dport=21387 packets=0 bytes=0 mark=0 use=1
    udp      17 2 src=? dst=? sport=42711 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=42711 packets=0 bytes=0 mark=0 use=1
    udp      17 9 src=? dst=? sport=24570 dport=11078 packets=2 bytes=116 [UNREPLIED] src=? dst=? sport=11078 dport=24570 packets=0 bytes=0 mark=0 use=1
    udp      17 179 src=? dst=? sport=60081 dport=11078 packets=3357 bytes=4272554 src=? dst=? sport=11078 dport=60081 packets=2774 bytes=171751 [ASSURED] mark=267386889 use=3
    udp      17 16 src=? dst=? sport=21392 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=21392 packets=0 bytes=0 mark=0 use=1
    udp      17 50 src=? dst=? sport=50184 dport=55183 packets=2 bytes=262 src=? dst=? sport=55183 dport=50184 packets=2 bytes=630 [ASSURED] mark=27263241 use=1
    udp      17 21 src=? dst=? sport=2359 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=2359 packets=0 bytes=0 mark=0 use=1
    udp      17 27 src=? dst=? sport=10633 dport=11078 packets=4 bytes=232 [UNREPLIED] src=? dst=? sport=11078 dport=10633 packets=0 bytes=0 mark=0 use=1
    udp      17 20 src=? dst=? sport=45682 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=45682 packets=0 bytes=0 mark=0 use=1
    udp      17 10 src=? dst=? sport=43586 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=43586 packets=0 bytes=0 mark=0 use=1
    udp      17 0 src=? dst=? sport=59789 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=59789 packets=0 bytes=0 mark=0 use=1
    udp      17 16 src=? dst=? sport=45682 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=45682 packets=0 bytes=0 mark=0 use=1
    udp      17 18 src=? dst=? sport=34345 dport=11078 packets=2 bytes=116 [UNREPLIED] src=? dst=? sport=11078 dport=34345 packets=0 bytes=0 mark=0 use=1
    udp      17 179 src=? dst=? sport=4662 dport=11078 packets=2406 bytes=3056394 src=? dst=? sport=11078 dport=4662 packets=2115 bytes=125992 [ASSURED] mark=267386889 use=4
    udp      17 176 src=? dst=? sport=54004 dport=11078 packets=1871 bytes=2232130 src=? dst=? sport=11078 dport=54004 packets=1626 bytes=111487 [ASSURED] mark=267386889 use=2
    udp      17 171 src=? dst=? sport=41599 dport=11078 packets=12 bytes=1365 src=? dst=? sport=11078 dport=41599 packets=10 bytes=1016 [ASSURED] mark=267386889 use=1
    udp      17 0 src=? dst=? sport=45682 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=45682 packets=0 bytes=0 mark=0 use=1
    udp      17 178 src=? dst=? sport=40938 dport=11078 packets=103 bytes=82041 src=? dst=? sport=11078 dport=40938 packets=74 bytes=6571 [ASSURED] mark=27263241 use=3
    udp      17 28 src=? dst=? sport=28741 dport=11078 packets=7 bytes=406 [UNREPLIED] src=? dst=? sport=11078 dport=28741 packets=0 bytes=0 mark=0 use=2
    udp      17 179 src=? dst=? sport=27030 dport=11078 packets=3925 bytes=5116887 src=? dst=? sport=11078 dport=27030 packets=3462 bytes=198453 [ASSURED] mark=267386889 use=1
    udp      17 21 src=? dst=? sport=14133 dport=11078 packets=7 bytes=406 [UNREPLIED] src=? dst=? sport=11078 dport=14133 packets=0 bytes=0 mark=0 use=1
    udp      17 96 src=? dst=? sport=48013 dport=11078 packets=8 bytes=502 src=? dst=? sport=11078 dport=48013 packets=1 bytes=95 [ASSURED] mark=267386889 use=1
    udp      17 15 src=? dst=? sport=44599 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=44599 packets=0 bytes=0 mark=0 use=1
    udp      17 28 src=? dst=? sport=32837 dport=11078 packets=7 bytes=406 [UNREPLIED] src=? dst=? sport=11078 dport=32837 packets=0 bytes=0 mark=0 use=2
    udp      17 27 src=? dst=? sport=3104 dport=11078 packets=9 bytes=522 [UNREPLIED] src=? dst=? sport=11078 dport=3104 packets=0 bytes=0 mark=0 use=1
    udp      17 15 src=? dst=? sport=16956 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=16956 packets=0 bytes=0 mark=0 use=1
    udp      17 25 src=? dst=? sport=64983 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=64983 packets=0 bytes=0 mark=0 use=1
    udp      17 2 src=? dst=? sport=62621 dport=55183 packets=1 bytes=131 src=? dst=? sport=55183 dport=62621 packets=1 bytes=315 mark=27263241 use=1
    udp      17 28 src=? dst=? sport=43352 dport=11078 packets=7 bytes=406 [UNREPLIED] src=? dst=? sport=11078 dport=43352 packets=0 bytes=0 mark=0 use=2
    udp      17 23 src=? dst=? sport=59817 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=59817 packets=0 bytes=0 mark=0 use=1
    udp      17 17 src=? dst=? sport=14257 dport=55183 packets=1 bytes=126 src=? dst=? sport=55183 dport=14257 packets=1 bytes=319 mark=27263241 use=1
    udp      17 16 src=? dst=? sport=61605 dport=55183 packets=2 bytes=258 src=? dst=? sport=55183 dport=61605 packets=2 bytes=734 [ASSURED] mark=27263241 use=1
    udp      17 48 src=? dst=? sport=49098 dport=11078 packets=3 bytes=222 src=? dst=? sport=11078 dport=49098 packets=2 bytes=106 [ASSURED] mark=267386889 use=1
    udp      17 19 src=? dst=? sport=1024 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=1024 packets=0 bytes=0 mark=0 use=1
    udp      17 178 src=? dst=? sport=46099 dport=11078 packets=254 bytes=330791 src=? dst=? sport=11078 dport=46099 packets=213 bytes=13377 [ASSURED] mark=27263241 use=3
    udp      17 112 src=? dst=? sport=43983 dport=55183 packets=2 bytes=262 src=? dst=? sport=55183 dport=43983 packets=2 bytes=630 [ASSURED] mark=27263241 use=1
    udp      17 18 src=? dst=? sport=59978 dport=55183 packets=1 bytes=131 src=? dst=? sport=55183 dport=59978 packets=1 bytes=315 mark=27263241 use=1
    udp      17 18 src=? dst=? sport=12126 dport=11078 packets=2 bytes=116 [UNREPLIED] src=? dst=? sport=11078 dport=12126 packets=0 bytes=0 mark=0 use=1
    udp      17 1 src=? dst=? sport=64535 dport=11078 packets=2 bytes=153 [UNREPLIED] src=? dst=? sport=11078 dport=64535 packets=0 bytes=0 mark=0 use=1
    udp      17 10 src=? dst=? sport=62644 dport=11078 packets=2 bytes=262 [UNREPLIED] src=? dst=? sport=11078 dport=62644 packets=0 bytes=0 mark=0 use=1
    udp      17 27 src=? dst=? sport=58005 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=58005 packets=0 bytes=0 mark=0 use=1
    udp      17 7 src=? dst=? sport=11570 dport=11078 packets=2 bytes=116 [UNREPLIED] src=? dst=? sport=11078 dport=11570 packets=0 bytes=0 mark=0 use=1
    udp      17 14 src=? dst=? sport=24900 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=24900 packets=0 bytes=0 mark=0 use=1
    udp      17 178 src=? dst=? sport=27173 dport=11078 packets=280 bytes=148212 src=? dst=? sport=11078 dport=27173 packets=292 bytes=29564 [ASSURED] mark=267386889 use=3
    udp      17 1 src=? dst=? sport=54810 dport=11078 packets=1 bytes=58 [UNREPLIED] src=? dst=? sport=11078 dport=54810 packets=0 bytes=0 mark=0 use=1
    udp      17 0 src=? dst=? sport=21684 dport=55183 packets=1 bytes=126 src=? dst=? sport=55183 dport=21684 packets=1 bytes=319 mark=27263241 use=1
    udp      17 178 src=? dst=? sport=14640 dport=11078 packets=200 bytes=259971 src=? dst=? sport=11078 dport=14640 packets=176 bytes=10178 [ASSURED] mark=267386889 use=4
    udp      17 2 src=? dst=? sport=57916 dport=11078 packets=1 bytes=95 [UNREPLIED] src=? dst=? sport=11078 dport=57916 packets=0 bytes=0 mark=0 use=1
    udp      17 178 src=? dst=? sport=57325 dport=11078 packets=186 bytes=214618 src=? dst=? sport=11078 dport=57325 packets=157 bytes=10866 [ASSURED] mark=267386889 use=3
    udp      17 26 src=? dst=? sport=12443 dport=55183 packets=1 bytes=126 src=? dst=? sport=55183 dport=12443 packets=1 bytes=319 mark=27263241 use=1
    udp      17 160 src=? dst=? sport=45682 dport=11078 packets=66 bytes=11138 src=? dst=? sport=11078 dport=45682 packets=71 bytes=7058 [ASSURED] mark=27263241 use=1
    udp      17 127 src=? dst=? sport=15878 dport=11078 packets=1957 bytes=2136428 src=? dst=? sport=11078 dport=15878 packets=1740 bytes=116142 [ASSURED] mark=267386889 use=1
    
     
  7. teaman

    teaman LI Guru Member

    I'm not entirely sure about you mean with the idea of UDP connections: it's supposed to be a stateless protocol, right? ;)

    Although there seems to be some sort of tracking for UDP...
    Code:
    root@vader:/tmp/home/root# cat /proc/net/ip_conntrack | grep ^udp | grep UNREPLIED | wc -l
    6
    root@vader:/tmp/home/root# cat /proc/net/ip_conntrack | grep ^udp | grep ASSURED | wc -l
    2
    root@vader:/tmp/home/root# cat /proc/net/ip_conntrack | grep ^udp | grep -v UNREPLIED | grep -v ASSURED | wc -l
    8
    root@vader:/tmp/home/root#
    
    ... I'm afraid connlimit can handle TCP only:
    http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-connlimit

    Other interesting links:
    http://www.faqs.org/docs/iptables/theconntrackentries.html
    http://www.rigacci.org/wiki/lib/exe/fetch.php/doc/appunti/linux/sa/iptables/conntrack.html
    http://www.cyberciti.biz/faq/iptables-connection-limits-howto/

    Cheers!
     
  8. Planiwa

    Planiwa LI Guru Member

    Code:
    # iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 109K packets, 12M bytes)
    pkts bytes target    prot opt in    out    source              destination
    8229  878K DROP      !tcp  --  any    any    anywhere            anywhere            source IP range 192.168.0.100-192.168.0.249 #conn/32 > 90
    ...
    4794  461K DROP      !tcp  --  any    any    anywhere            anywhere            #conn/32 > 50
    
    The first rule is part of the Toastman distribution (commented out in FW-Up Script), the second one was provided by Porter in this thread. Both do work, in part.
     
  9. teaman

    teaman LI Guru Member

    Good catch. Then, I wonder if perhaps we could find some sort of correlation and/or clues by checking into /proc/net/ip_conntrack for connlimit/UDP (regarding those ASSURED/UNREPLIED/neither 'states').

    Best of luck!
     

Share This Page