We have come to know that we can limit UDP connections _from_ a LAN host like this: Code: iptables -t nat -I PREROUTING -p ! tcp -m iprange --src-range 192.168.0.100-192.168.0.249 -m connlimit --connlimit-above 50 -j DROP But this has no effect on connection flows that originate from outside (with port-forwarding, including UPnP). How can those connections be similarly limited? That is the primary question. *** In addition to connections between a LAN host and a WAN host, there are: 1. NS Connections between a LAN host and the Router. 2. NS Connections between the Router and the WAN Nameserver(s). 3. NS Connections between the Router and itself. These look like: Code: udp 17 19 src=127.0.0.1 dst=127.0.0.1 sport=61468 dport=53 packets=1 bytes=72 src=127.0.0.1 dst=127.0.0.1 sport=53 dport=61468 packets=1 bytes=104 mark=0 use=1 All of these three connection types are Unclassified. Types 2 and 3 are caused by (and imediately follow) type 1, and they can be quite numerous, and they appear in surges. Has anyone else observed this, and perhaps found a way of managing it? That is the secondary question, which may be more difficult and complex than the first.