1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question about number of connections

Discussion in 'Tomato Firmware' started by kendawg, Oct 25, 2006.

  1. kendawg

    kendawg LI Guru Member

    Hi, I have a firewall script that I'm using to try to limit the number of connections for 3 computers on my network. Here's the script:

    modprobe ipt_connlimit
    iptables -A FORWARD -p tcp --syn -s 192.168.1.129 -m connlimit --connlimit-above 100 -j REJECT
    iptables -A FORWARD -p tcp --syn -d 192.168.1.129 -m connlimit --connlimit-above 100 -j REJECT
    iptables -A FORWARD -p tcp --syn -s 192.168.1.105 -m connlimit --connlimit-above 100 -j REJECT
    iptables -A FORWARD -p tcp --syn -d 192.168.1.105 -m connlimit --connlimit-above 100 -j REJECT
    iptables -A FORWARD -p tcp --syn -s 192.168.1.128 -m connlimit --connlimit-above 100 -j REJECT
    iptables -A FORWARD -p tcp --syn -d 192.168.1.128 -m connlimit --connlimit-above 100 -j REJECT


    I think that's a good script, but then when I go look at the QOS screen, I see this:
    [​IMG]

    Almost all of those 700 connections are from 1 computer, even though I am trying to limit each of them to 100 connections. What am I doing wrong? Thanks!
     
  2. masterbeto

    masterbeto Network Guru Member

    #limitando 20 conexoes por ip - limiting 20 connections per ip
    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.1.1-192.168.1.127 -m connlimit --connlimit-above 20 -j DROP
     
  3. kendawg

    kendawg LI Guru Member

    Thanks for the reply, but was that English? You're saying that's how I would limit connections per IP using iptables? I'll give it a try if that's what you mean.
     
  4. kendawg

    kendawg LI Guru Member

    It works, thanks!

    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.1.127-192.168.1.129 -m connlimit --connlimit-above 95 -j DROP
     
  5. masterbeto

    masterbeto Network Guru Member

    sure work i use it, i lose 2 day finding this rule in web ; )
     
  6. ESTIMULO

    ESTIMULO Network Guru Member

    Thanks for your help. I have inserted this line to Administration/Scripts/Firewall:
    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.1.100-192.168.2.254 -m connlimit --connlimit-above 95 -j DROP
    but I get more than 500 conections from 192.168.1.140 (a PC with emule).
    Do I need to add some more thing to make this comections limits works?
    Thanks.

    EDIT: my tomato is Version 0.08.0851
     
  7. kendawg

    kendawg LI Guru Member

    try:
    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.1.100-192.168.1.254 -m connlimit --connlimit-above 95 -j DROP

    maybe it got confused with the 192.168.2.254 because that's not normally in the dhcp range. did you reboot after adding it?

    that code it working perfectly for me: my room-mate said to me last night "it's weird that i'm only downloading at 2kb/s in utorrent" I almost laughed, but just said "yeah, me too"
     
  8. ESTIMULO

    ESTIMULO Network Guru Member

    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.1.100-192.168.1.199 -m connlimit --connlimit-above 95 -j DROP
    and no effect after reboot. Do I have to enable any other options in firewall settings?
     
  9. ESTIMULO

    ESTIMULO Network Guru Member

    here are my settings
     

    Attached Files:

  10. kendawg

    kendawg LI Guru Member

    I have the same exact settings as you.
    How many computers were connected when you took that screenshot of the pie? That looks to me like 3 computers with a max of 95 connections each :)
     
  11. ESTIMULO

    ESTIMULO Network Guru Member

    Yes, there are three computers in my lan, in fact, at this moment I get 584 conections and more of 500 are from the same PC (192.168.1.140).
     
  12. GeeTek

    GeeTek Guest

    Far Out !

    I just stent 5 hours working on this problem. The firewall script does work very well as advertized. I used Kasperky to monitor the connections and it is absolutely accurate. I changed the script to allow connections of between 3 and 90, and excersized the internet to see what was going on. The Tomato router does not time out connections very quickly, so it actually holds open a lot of connections from the WAN to the internet that are not actually open from LAN to PC. This is why the connection count goes so high. I adjusted a lot of the conntrack timing parameters to lower values, and the Tomato chart response was much quicker and followed the actual count much closer. I found an Ubuntu torrent that was real hot and would give me all the BW and connections I wanted almost instantly. It made the testing go very well. As soon as torrent consumed the allowed number of connections (peer count), the browser would no longer open web-pages. It even jammed my Tomato link, and I could not get Tomato screen updates until I killed torrent. Micro-torrent has a great bandwidth speed graph. I adjusted QOS for the "Lowest" category which is where the P2P traffic was, and the bandwidth in torrent levelled off at what I would set QOS to within about 15 seconds. One thing that I did not understand was the establishment of a good number of connections from 127.0.0.1 to the website addresses that I would visit in the browser. Yahoo opened the limit of 3 connections from my NIC IP, but also 3 or 4 more from 127.0.0.1 to Yahoo's IP on port 80, which Tomato counted in the total, but did not restrict. This is a curiousity, and also seemed to contribute to the connections total that Tomato reported at higher numbers than the firewall rule was set for, but was not restricting. I am testing on a WHR-G54S W/ Tomater V .9.0865. I would love to see what input anyone may have for optimizing these conntrack timings for a hotel of about 90 concurrent users running a lot of P2P on a T-1. Tomato is some hellashious firmware. If somebody has a MOD to the firewall rule to make the connection limit apply only to the higher port range, that would be spectacular ! That way the limit would still allow port 80 traffic to open after limiting the torrent stuff to a reasonable count. Maybe we can get Jon to add a connection limit field to the QOS rule section so we can set limits by QOS categories and by QOS rules. BTW, does anyone need a bunch of Ubuntu pieces ??
     
  13. dankim831

    dankim831 Network Guru Member

    thats a good idea.

    a qos rule option that allowsyou to limit the amount of connections. i would like to second that request.
     
  14. dankim831

    dankim831 Network Guru Member

    i tried putting

    iptables -I FORWARD -p tcp --syn -m iprange --src-range 192.168.1.150-192.168.1.151 -m connlimit --connlimit-above 200 -j DROP

    in the firewall startup and i still have one person getting 700+ connections.

    does this really work?
     
  15. ESTIMULO

    ESTIMULO Network Guru Member

    I can get it work with WRT54G script generator!
     
  16. der_Kief

    der_Kief Super Moderator Staff Member Member

    what type of connections ? Is it UDP or TCP traffic ? Because only TCP connections are limited and only new connections are limited to your example 200. So if there are established connections the amount can go over the configured limit.


    This is from robsonn (script generator) over at hyperwrt

     

Share This Page