how limit the number of open TCP streams from same IP to a local port?

Question

i would like to limit the number of concurrent open TCP streams from the the same IP to the server's (local) port. Let's say 4 concurrent connections.

How can this be done with ip tables?

the closest thing, that i've found was: In Apache, is there a way to limit the number of new connections per second/hour/day?

iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 86400 --hitcount 100 -j REJECT

But this limitation just measures the number of new connections over the time. This might be good for controlling HTTP traffic. But this is not a good solution for me, since my TCP streams usually have a lifetime between 5 minutes and 2 hours.

thanks a lot in advance for any reply :)

score 3 · Accepted Answer · answered Mar 13 '11 at 22:31

just checkout connlimit in the iptables man: http://unixhelp.ed.ac.uk/CGI/man-cgi?iptables+8

# allow 2 telnet connections per client host
iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

the advantage over iplimit is, that you don't have to install something. it's gonna run out of the box...

score 2 · Answer 2 · answered Mar 13 '11 at 18:43

2

Looks like you can do this with the iplimit iptables extension. Something like this:

iptables -A INPUT -p tcp --syn --dport http -m iplimit --iplimit-above 4 -j REJECT

answered Mar 13 '11 at 18:43

Phil Hollenback

14,947
4
35
52

how limit the number of open TCP streams from same IP to a local port?

2 Answers2