1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help writing script for firewall in Tomato

Discussion in 'Tomato Firmware' started by OnTilt, Dec 4, 2012.

  1. OnTilt

    OnTilt Serious Server Member

    I'm trying to write a simple script to limit the number of connections per user. I've followed the tutorial, but it doesn't seem to be limiting anything. I still see users with many more connections than the limit of 50 I'm trying to impose. Any help would be greatly appreciated.

    Below is what I'm trying:

    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.1.64-192.168.1.249 -m connlimit --connlimit-above 50 -j DROP

    iptables -I FORWARD -p ! tcp -m iprange --src-range 192.168.1.64-192.168.1.249 -m connlimit --connlimit-above 50 -j DROP
     
  2. ntest7

    ntest7 Network Guru Member

    This needs to be in the nat PREROUTING table.

    iptables -t nat -I PREROUTING -p ...
     
  3. kthaddock

    kthaddock Network Guru Member

    Code:
    #Restrict number of TCP connections per user
    iptables -t nat -I PREROUTING -p tcp --syn -m iprange --src-range 192.168.2.200-192.168.2.250 -m connlimit --connlimit-above 100 -j DROP
     
    #Restrict number of non-TCP connections per user
    iptables -t nat -I PREROUTING -p ! tcp -m iprange --src-range 192.168.2.200-192.168.2.250 -m connlimit --connlimit-above 50 -j DROP
     
    #Restrict number of simltaneous SMTP connections (from mailer viruses)
    iptables -t nat -I PREROUTING -p tcp --dport 25 -m connlimit --connlimit-above 5 -j DROP
     
  4. OnTilt

    OnTilt Serious Server Member

    I show that in a post and tried that also, but it didn't seem to have any affect either. Possibly, I'm doing it incorrectly. Can I just copy and paste that into the box under Administration-Scripts-Firewall? That is how I tried to do it previously.
     
  5. koitsu

    koitsu Network Guru Member

    Have you tried telnetting to the router and issuing the commands there to ensure there aren't syntax errors, thus shedding light on the errors?
     
  6. kthaddock

    kthaddock Network Guru Member

    Have you adjust --src-range to fit you network ?
    192.168.2.200-192.168.2.250
     
  7. OnTilt

    OnTilt Serious Server Member

    Have not tried telnetting. Guess I will try that next. I did make the appropriate adjustments for make network range.
     

Share This Page