Home / server / Questions / 246875
Accepted
JMW
Asked: 2011-03-14 07:11:34 +0800 CST

how limit the number of open TCP streams from same IP to a local port?

  • 772

i would like to limit the number of concurrent open TCP streams from the the same IP to the server's (local) port. Let's say 4 concurrent connections.

How can this be done with ip tables?

the closest thing, that i've found was: In Apache, is there a way to limit the number of new connections per second/hour/day?

iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 86400 --hitcount 100 -j REJECT

But this limitation just measures the number of new connections over the time. This might be good for controlling HTTP traffic. But this is not a good solution for me, since my TCP streams usually have a lifetime between 5 minutes and 2 hours.

thanks a lot in advance for any reply :)

linux iptables qos

2 Answers

  1. Best Answer

    just checkout connlimit in the iptables man: http://unixhelp.ed.ac.uk/CGI/man-cgi?iptables+8

    # allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

    the advantage over iplimit is, that you don't have to install something. it's gonna run out of the box...

    • 3

  2. Looks like you can do this with the iplimit iptables extension. Something like this:

    iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT
    • 2