Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am wondering if anyone knows how to limit NAT Connections using iptables or some other command I have not thought of yet.
Basically if I have 10 users and I am using NAT I only want each user to be able to make say 100 NAT connections and if they exceed that say have 101 connections then their connection is either dropped until they fall below the limit or their connection is stopped until administratively restarted again or for a time limit.
Another way to look at this is how do I cap how many simultaneous connections a particular user on my network is able to make. Any help would be appreciated?
I am also interested in bandwidth control. By preventing NAT connections I am trying to keep that one user with a virus on their computer from saturating the network and using up all the bandwidth. It could also be used to keep torrent and other p2p connections to a minimum. I have about 700 users and my total bandwith is a 10MB capped T3 line. I want all taffic to pass through the linux box to server as a firewall for one and also a control mechanisim to prevent all the bandwidth from being hogged by one user. I have written a firewall script and I am familar with some of the TC commands for bandwidth control, but any recommendations on this would be appreciative.
check the connlimit and connmark match extensions... they've been included in the recent kernels...
it's not specific to NAT connections, but if you use specific source and dest IPs, that shouldn't be too much of a problem.
Also, the following entries set the values used for all connections:
/proc/sys/net/ipv4/ip_conntrack_max
/proc/sys/net/ipv4/netfilter/ip_conntrack_*
In /proc/sys/net/ipv4, you also have lots of settings to strengthen your machine against floods and so on, have a look...
If I wanted to store connection tracking information in an external database like mysql qhat program would you recommend to do so. For example my table may have fields like:
SRC MAC, SRC IP, DEST IP, SRC Port, DEST Port, Protocol, Date/Time
[edit: that doesn't apply to your last post but to the one before!]
tc is definitely the tool for QoS... i've been using it with HTB qdiscs, and it used to work fine (at some stage I was bored of not beeing able to use the net because of my flatmate downloading a *lot* with emule).
you can set your filters (to select which packets go in which queue) with iptables, but i believe i read somewhere that the implementation done in tc was more performant.
i don't know any soft doing that...
you can get this info by logging in iptables, but i'd be concerned about performance when doing that. Accessing the disk is really slow compared to networking, so i think you'd end up dropping lots of packets...
maybe parsing /proc/net/ip_conntrack may be a better way to do that. You don't have the MAC info though...
do you plan to have IDS on that machine? If yes, then Snort can log to a database... on Snort's website ( http://www.snort.org/docs/snort_htma...anual_2.4/rc1/ ), they explain all the different way to keep track of the info (writing to file, snmp, database...) and their adds and con.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.