1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Syntax for script to limit the number of max connections per user

Discussion in 'Tomato Firmware' started by fefrie, Mar 19, 2014.

  1. fefrie

    fefrie Serious Server Member

    I'm hoping that someone can check my code to see if it is right.

    What I want is to limit TCP and UDP max connections PER USER. I have users in a network, and have assigned them all Ip addresses within the range to

    The max number of connections my router is set for is 2048, but realistically, it can handle only 1500 before performance starts slowing down.

    I want to limit the max number of connections any one (of about 20) devices to only have 500TDP and 500UDP connections.

    With about 20 devices, there is a theoretical max of 20k connections should everybody decide to download all of the most popular torrents at once, but its usually just one person who cranks it at any given time and it happens rarely.

    And analyzing torrenting data, it seems like the ratio of TDP to UDP connections is about 1:10 which makes sense since 1 'ACK' TDP is only required for 10 'INFO' UDP packets.

    500 TCP connections may sound like a bit much and overkill, but I'm guessing that the bottleneck would be more caused by excessive UDP connections (although for torrenting, UDP connections being created from the internet sent to my router may be something I cannot control.)

    I'm hoping that the below syntax will create a rule that each user within the specified range will be allowed 500 tcp and 500 udp connections for EACH ipaddress, and not be the total max for all within the range.

    The only other thing that I do not understand is the 'prerouting' and 'input' syntax. What does that mean.. Is that something like to and from the internet?

    #Limit TCP connections per user
     iptables -I PREROUTING -p tcp --syn -m iprange --src-range -m connlimit --connlimit-above 500 -j DROP
     iptables -I INPUT -p tcp --syn -m iprange --src-range -m connlimit --connlimit-above 500 -j DROP
    #Limit all *other* connections per user including UDP
     iptables -I PREROUTING -m iprange --src-range -p ! tcp -m connlimit --connlimit-above 500 -j DROP
     iptables -I INPUT -m iprange --src-range -p ! tcp -m connlimit --connlimit-above 500 -j DROP

Share This Page