I am wondering if anyone knows how to limit NAT Connections using iptables or some other command I have not thought of yet.

Basically if I have 10 users and I am using NAT I only want each user to be able to make say 100 NAT connections and if they exceed that say have 101 connections then their connection is either dropped until they fall below the limit or their connection is stopped until administratively restarted again or for a time limit.

Another way to look at this is how do I cap how many simultaneous connections a particular user on my network is able to make. Any help would be appreciated?

Not sure about limiting connections, but I think you can do bandwidth limiting with IPtables. What exactly are you doing? Trying to limit torrents???

There is a patch for netfilter for this called connlimit..

Visit www.netfilter.org and have a look at patch-o-matic.

You will need kernel sources and iptables sources to do this..

I am also interested in bandwidth control. By preventing NAT connections I am trying to keep that one user with a virus on their computer from saturating the network and using up all the bandwidth. It could also be used to keep torrent and other p2p connections to a minimum. I have about 700 users and my total bandwith is a 10MB capped T3 line. I want all taffic to pass through the linux box to server as a firewall for one and also a control mechanisim to prevent all the bandwidth from being hogged by one user. I have written a firewall script and I am familar with some of the TC commands for bandwidth control, but any recommendations on this would be appreciative.

Hi,

check the connlimit and connmark match extensions... they've been included in the recent kernels...
it's not specific to NAT connections, but if you use specific source and dest IPs, that shouldn't be too much of a problem.
Also, the following entries set the values used for all connections:
/proc/sys/net/ipv4/ip_conntrack_max
/proc/sys/net/ipv4/netfilter/ip_conntrack_*

In /proc/sys/net/ipv4, you also have lots of settings to strengthen your machine against floods and so on, have a look...

hope this helps !

If I wanted to store connection tracking information in an external database like mysql qhat program would you recommend to do so. For example my table may have fields like:

SRC MAC, SRC IP, DEST IP, SRC Port, DEST Port, Protocol, Date/Time

[edit: that doesn't apply to your last post but to the one before!]

tc is definitely the tool for QoS... i've been using it with HTB qdiscs, and it used to work fine (at some stage I was bored of not beeing able to use the net because of my flatmate downloading a *lot* with emule).
you can set your filters (to select which packets go in which queue) with iptables, but i believe i read somewhere that the implementation done in tc was more performant.

i don't know any soft doing that...
you can get this info by logging in iptables, but i'd be concerned about performance when doing that. Accessing the disk is really slow compared to networking, so i think you'd end up dropping lots of packets...
maybe parsing /proc/net/ip_conntrack may be a better way to do that. You don't have the MAC info though...
do you plan to have IDS on that machine? If yes, then Snort can log to a database... on Snort's website ( http://www.snort.org/docs/snort_htma...anual_2.4/rc1/ ), they explain all the different way to keep track of the info (writing to file, snmp, database...) and their adds and con.

For logging options, use the -j ULOG target rather than just -j LOG

Then install the ulogd package.

man iptables & man ulogd for more info..

Thanks for all the help I will take a look and see what I can come up with.