Hello all, I have been trying to find a solution to a problem for hours, to no avail. I am running Tomato on my router but this is more of an iptables question. I've added the following line to Scripts/Firewall: iptables -I wanin -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT --reject-with tcp-reset This is set up to allow users on my MUD to telnet in with two simultaneous connections. It will block a third (and all subsequent) connection attempts, effectively limiting multiplaying. HOWEVER, as connlimit will count up, it doesn't seem to subtract. So if a user connects twice, then disconnects one connection (leaving the other connection active), they are unable to make new connections until ALL connections have been terminated. It's like connlimit just keeps a "total" count and not an "active" count. Perhaps this is the intended behavior. Is there any clever iptables trickery that can be done to get around this? I looked into using --tcp-flags but have been unable to come up with anything. I was hoping there would be a way for to use a FIN or RST flag and lower the current connection count. In effect, I'm looking for this: 1) On new p23 connection (no priors) -> ACCEPT 2) On new p23 connection (1 prior) -> ACCEPT 3) On new p23 connection (2 priors) -> REJECT |-> If one existing connection is dropped, go back to 2 |-> If both existing connections are dropped, go back to 1 (this is currently how that part works anyway) Is there a way to accomplish this?