1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Max Connections Per User

Discussion in 'Tomato Firmware' started by DuceGT, Oct 16, 2007.

  1. DuceGT

    DuceGT LI Guru Member

    I've used the "universal" script generator app and tried some snipping from iptables with no luck. I tried putting them in the startup & firewall sections under administration. My problem is certain users opening way too many connections over P2P apps that I'm not able to use Ventrillo with the lag. QoS does its job of limiting the bandwidth. I'd be fine by limiting them by thier MACs or IPs. I love tomato and I pray that I'm just doing this wrong as it is a major problems.
     
  2. DuceGT

    DuceGT LI Guru Member

    Desperate bump :(
     
  3. GeeTek

    GeeTek Guest

  4. DuceGT

    DuceGT LI Guru Member

    thanks geetak, but still having problems

    i've placed this in all of the scripts locations and it still does not work! my ip is 192.168.3.135 so this is why i've split it up. Is this suppose to apply to both wireless and wired?

    iptables -I FORWARD -m iprange --src-range 192.168.3.100-192.168.3.134 -p ! tcp -m connlimit --connlimit-above 50 -j DROP
    iptables -I FORWARD -m iprange --src-range 192.168.3.136-192.168.3.199 -p ! tcp -m connlimit --connlimit-above 50 -j DROP
    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.3.100-192.168.3.134 -m connlimit --connlimit-above 50 -j DROP
    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.3.136-192.168.1.199 -m connlimit --connlimit-above 50 -j DROP
     
  5. mikester

    mikester Network Guru Member

    try logging in with ssh and seeing what response you get from the command line - usually a good starting point
     
  6. dondos

    dondos LI Guru Member

    Is there any way to find out the number of connections opened by each ip address? When I was using dd-wrt the following script worked :

    Code:
    sed -n 's%.* src=\(192.168.[0-9.]*\).*%\1%p' /proc/net/ip_conntrack | sort | uniq -c | sort -gr
    How can I use this in Tomato?

    I
     
  7. DuceGT

    DuceGT LI Guru Member

    I've tried all of the scripts posted in other threads and NONE of them work. I'm unfamiliar with SSH, but I entered the lines manually with Telenet... upon pressing enter it would just start a new line, so no error messages. I love tomato, but If I can't limit these connections...might have to change to DDWRT because 300+ brings gaming to its knees.
     
  8. u3gyxap

    u3gyxap Network Guru Member

    After you type the lines, please type:
    iptables -L FORWARD
    And paste the output here.
     
  9. jon124

    jon124 LI Guru Member




    LOL ddwrt is the last thing you want to switch to. most people switch to tomato from ddwrt because ddwrt is so bloated and can handle about half the amount of connections before crapping things out.
     
  10. mstombs

    mstombs Network Guru Member

    It seems Tomato doesn't have the "uniq" command, apart from that the command works...
     
  11. DuceGT

    DuceGT LI Guru Member

    First line

    PHP:
    # iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.3.100-192.168.
    3.190 -m connlimit --connlimit-above 105 -j DROP
    # iptables -L FORWARD
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    DROP       tcp  
    --  anywhere             anywhere            tcp flags:FIN,SYN,R
    ST
    ,ACK/SYN source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,R
    ST
    ,ACK/SYN source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
               
    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,R
    ST
    ,ACK/SYN source IP range 1.0.0.0-1.0.0.0 
    DROP       tcp  
    --  anywhere             anywhere            tcp flags:FIN,SYN,R
    ST
    ,ACK/SYN source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP      !tcp  --  anywhere             anywhere            source IP range 192
    .168.3.100
    -192.168.3.190 #conn/32 > 105 
    DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,R
    ST
    ,ACK/SYN source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP      !tcp  --  anywhere             anywhere            source IP range 192
    .168.3.100
    -192.168.3.190 #conn/32 > 105 
    DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,R
    ST
    ,ACK/SYN source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP      !tcp  --  anywhere             anywhere            source IP range 192
    .168.3.100
    -192.168.3.190 #conn/32 > 105 
    ACCEPT     all  --  anywhere             anywhere            
    DROP       all  
    --  anywhere             anywhere            state INVALID 
    TCPMSS     tcp  
    --  anywhere             anywhere            tcp flags:SYN,RST/S
    YN tcpmss match 1461
    :65535 TCPMSS set 1460 
    restrict   all  
    --  anywhere             anywhere            
    L7in       all  
    --  anywhere             anywhere            
    ACCEPT     all  
    --  anywhere             anywhere            state RELATED,ESTAB
    LISHED 
    wanin      all  
    --  anywhere             anywhere            
    wanout     all  
    --  anywhere             anywhere            
    ACCEPT     all  
    --  anywhere             anywhere            
    upnp       all  
    --  anywhere             anywhere            
    ACCEPT     all  
    --  anywhere             duce     
    Second line

    PHP:
    # iptables -I FORWARD -m iprange --src-range 192.168.3.100-192.168.3.190 -p ! tcp -m connlimit --connlimit-above 105 -j DROP
    # iptables -L FORWARD
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    DROP      
    !tcp  --  anywhere             anywhere            source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
               
    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN source IP range 1.0.0.0-1.0.0.0 
    DROP       tcp  
    --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP      !tcp  --  anywhere             anywhere            source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP      !tcp  --  anywhere             anywhere            source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    DROP      !tcp  --  anywhere             anywhere            source IP range 192.168.3.100-192.168.3.190 #conn/32 > 105 
    ACCEPT     all  --  anywhere             anywhere            
    DROP       all  
    --  anywhere             anywhere            state INVALID 
    TCPMSS     tcp  
    --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1461:65535 TCPMSS set 1460 
    restrict   all  
    --  anywhere             anywhere            
    L7in       all  
    --  anywhere             anywhere            
    ACCEPT     all  
    --  anywhere             anywhere            state RELATED,ESTABLISHED 
    wanin      all  
    --  anywhere             anywhere            
    wanout     all  
    --  anywhere             anywhere            
    ACCEPT     all  
    --  anywhere             anywhere            
    upnp       all  
    --  anywhere             anywhere            
    ACCEPT     all  
    --  anywhere             duce                
     
  12. u3gyxap

    u3gyxap Network Guru Member

    Yes, it should limit the ip range to 210 connections. How many connection do they make?
    If you are experiencing troubles, try without the "--syn" on the tcp rule.
     
  13. DuceGT

    DuceGT LI Guru Member

    It still shows it is tracking ~50% more connections then theoretically should be possible, but it is working. I did have to remove the --syn.

    Thank you so much u3gyxap :drinking:
     
  14. u3gyxap

    u3gyxap Network Guru Member

    Most welcome :)
    It shows it tracks them, but these 50% or more are just attempts that get dropped, not actual connections.
     
  15. namaste

    namaste LI Guru Member

    iptables -I FORWARD -s 192.168.1.121 -p tcp -m connlimit --connlimit-above 50 -j DROP

    Is this okay for tcp? I mean for single ip?
     
  16. u3gyxap

    u3gyxap Network Guru Member

Share This Page