1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TomatoUSB iptables connlimit module

Discussion in 'Tomato Firmware' started by alfag4, Sep 3, 2013.

  1. alfag4

    alfag4 Reformed Router Member

    Hi,
    i would limit the max number of incoming tcp connections on port 9001.
    I tried this rule without success:
    iptables -A INPUT -p tcp --destination-port 9001 -m state --state NEW -m connlimit --connlimit-above 100 -j DROP

    the router is a RT-N66U with TomatoUsb shibby v. 112

    Thanks
     
  2. koitsu

    koitsu Network Guru Member

    Important: these would impact the number of inbound connections to your WAN IP, destined to TCP port 9001 on the WAN. Just want to make that clear; any kind of LAN testing you're doing to confirm this won't work, you'd need to test from Internet->your router's WAN IP. Also this will only affect new inbound TCP connections (hence the need for the --syn flag), because you don't want this to affect all TCP traffic, just new inbound connections:

    iptables -A INPUT -p tcp --syn --dport 9001 -m connlimit --connlimit-above 100 -j DROP

    This rule would limit the number of TCP connections per IP address to 100. I.e. visitor 4.5.6.7 would be allowed up to 100 simultaneous connections, while at the same time visitor 8.3.3.1 would also be allowed up to 100 simultaneous connections.

    If you want a "hard limit" for all IPs on the entire Internet, then the rule becomes:

    iptables -A INPUT -p tcp --syn --dport 9001 -m connlimit --connlimit-above 100 --connlimit-mask 0 -j DROP

    Also just dropping the packet in this case may cause problems on the remote end (of those visitors), as their TCP stacks will get no response from your router, and may cause retransmissions to happen. If you were to replace -j DROP with -j REJECT --reject-with tcp-reset then your router would send back a TCP RST to the visitor (once they've exceeded the limit) and their TCP stack would be able to make the decision to either retry or stop trying. It all depends on what you want to do; DROP is fine in some cases, but cleanly sending back TCP RST is ideal in others.

    Finally, if the port number you're talking about (9001) is actually something you're port forwarding in the Port Forward area, then these rules may not work due to rule ordering issues. The problem can be solved, but it's tricky. And if the port forwarding entry contains a different internal than external port number, it becomes even *more* tricky. So I'm hoping this is a daemon running on your router itself which listens on TCP port 9001. :)

    Good luck. I cannot help past this point.
     
  3. alfag4

    alfag4 Reformed Router Member

    If try your rule:
    iptables -A INPUT -p tcp --syn --dport 9001 -m connlimit --connlimit-above 100 --connlimit-mask 0 -j DROP

    iptables returns:
    iptables v1.3.8: --connlimit-above and/or --connlimit-mask may only be given once
    Try `iptables -h' or 'iptables --help' for more information.

    I would run a Tor relay deamon on the router (10.0.1.1) e limit the maximum inbound/outbound connections on port 9001 to 100 (for now only inbound).
    Actually i have port forwarded the port 9001 to 10.0.1.1:9001 and probably this is cause because my rule does not works.
    I also try to create a custom chain (TOR) and added it to the INPUT chain. In the TOR chain i have insert this rule: iptables -A TOR -p tcp --syn -j LOG --log-prefix "*** LOG ***" --log-level 4
    and works well but not the connlimit rules.
     
  4. koitsu

    koitsu Network Guru Member

    Something is very broken with the connlimit module then. That syntax is completely 100% correct and permitted (meaning you are supposed to be able to use both --connlimit-above and --connlimit-mask together).

    Validation:

    http://www.netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-connlimit

    I'm willing to bet the connlimit patch in Tomato is extremely outdated. I can see that the wl500g guys, for example, have their own version of it too:

    http://code.google.com/p/wl500g/source/browse/trunk/iptables-2.6/105-connlimit.patch?r=4389

    I can't do anything to fix this. Someone more familiar with the connlimit patches in Tomato's iptables/netfilter base will need to look into this.
     

Share This Page