iptables trick to limit number of connections on a router

Hello,

I guess this problem would be tricky as I googled and found no good
solution.

On a router box with two interface eth0 and eth1, eth0 connects with the
internet and eth1 connects with the intranet. Intranet users surf the
internet thru the box, which is acting as a gateway.

The problem is some intranet users are using P2P software that consumes
lots of bandwidth. One way of lowing P2P traffic is to limit the number
of connections made from an intranet user to its peers.

My question is:
Is it possible to use iptables to accomplish this on the router box?

The iptables rules should count the number of connections made by a
certain intranet IP to an internet ip, if for a specific intranet ip the
number of its internet peers exceeds a certain value, no more new
connections from that intranet user is allowed.

I am looking into the recent match to see if it's fit this scenario.
Look forward to seeing your opinions.

Thanks,
-Eric

Hello,

Eric Tao a écrit :
>
> The problem is some intranet users are using P2P software that consumes
> lots of bandwidth. One way of lowing P2P traffic is to limit the number
> of connections made from an intranet user to its peers.
>
> My question is:
> Is it possible to use iptables to accomplish this on the router box?
>
> The iptables rules should count the number of connections made by a
> certain intranet IP to an internet ip, if for a specific intranet ip the
> number of its internet peers exceeds a certain value, no more new
> connections from that intranet user is allowed.

Check the "connlimit" match.
Another approach could be to use traffic control, e.g. fair queuing to
allocate bandwidth evenly among hosts.

> I am looking into the recent match to see if it's fit this scenario.

No. It counts packets, not active concurrent connections. Non concurrent
consecutive connections would count as many connections.

Pascal Hambourg wrote:
> Hello,
>
> Eric Tao a écrit :
>> The problem is some intranet users are using P2P software that consumes
>> lots of bandwidth. One way of lowing P2P traffic is to limit the number
>> of connections made from an intranet user to its peers.
>>
>> My question is:
>> Is it possible to use iptables to accomplish this on the router box?
>>
>> The iptables rules should count the number of connections made by a
>> certain intranet IP to an internet ip, if for a specific intranet ip the
>> number of its internet peers exceeds a certain value, no more new
>> connections from that intranet user is allowed.
>
> Check the "connlimit" match.
> Another approach could be to use traffic control, e.g. fair queuing to
> allocate bandwidth evenly among hosts.

connlimit doesn't fit the scenario at all in that it matches only
incoming connection to the server, not forwarded one.

>
>> I am looking into the recent match to see if it's fit this scenario.
>
> No. It counts packets, not active concurrent connections. Non concurrent
> consecutive connections would count as many connections.

tc relies on p2p match plugin. ipp2p is quite old and will miss quite a
lot of p2p packages upon my experience. I haven't tried layer7, but
pattern matching should be processor intensive. Limit the number of
peers would be a good alternative way to lower p2p traffic.

Thanks for the reply. More comments are welcome.

"Eric Tao" <(E-Mail Removed)> wrote in message
news:i4iqde$h2h$(E-Mail Removed)...
> I guess this problem would be tricky as I googled and found no good
> solution.
>
> On a router box with two interface eth0 and eth1, eth0 connects with the
> internet and eth1 connects with the intranet. Intranet users surf the
> internet thru the box, which is acting as a gateway.
>
> The problem is some intranet users are using P2P software that consumes
> lots of bandwidth. One way of lowing P2P traffic is to limit the number
> of connections made from an intranet user to its peers.
>
> My question is:
> Is it possible to use iptables to accomplish this on the router box?
>
> The iptables rules should count the number of connections made by a
> certain intranet IP to an internet ip, if for a specific intranet ip the
> number of its internet peers exceeds a certain value, no more new
> connections from that intranet user is allowed.
>
> I am looking into the recent match to see if it's fit this scenario.
> Look forward to seeing your opinions.

Consider looking at traffic control instead, especially bandwidth limits.
Grant everything else as a priority, and allow the P2P sessions to use only
that bandwidth which is unused, with a low percentage as a minimum flow to
keep the P2P sessions alive (i.e. <10%).

D. Stussy a écrit :
>
> Consider looking at traffic control instead, especially bandwidth limits.
> Grant everything else as a priority, and allow the P2P sessions to use only
> that bandwidth which is unused, with a low percentage as a minimum flow to
> keep the P2P sessions alive (i.e. <10%).

A problem is to identify P2P traffic. There is a race between ISPs
trying to identify P2P traffic in order to give it low priority and P2P
software developpers trying to evade such detection, e.g. by using
standard service ports such as 80 or 443 to avoid port-based detection,
or encryption to avoid content-based detection...

Eric Tao a écrit :
> Pascal Hambourg wrote:
>>
>> Eric Tao a écrit :
>>
>>> The iptables rules should count the number of connections made by a
>>> certain intranet IP to an internet ip, if for a specific intranet ip the
>>> number of its internet peers exceeds a certain value, no more new
>>> connections from that intranet user is allowed.
>>
>> Check the "connlimit" match.
>> Another approach could be to use traffic control, e.g. fair queuing to
>> allocate bandwidth evenly among hosts.
>
> connlimit doesn't fit the scenario at all in that it matches only
> incoming connection to the server, not forwarded one.

Are you sure of this ?

> tc relies on p2p match plugin. ipp2p is quite old and will miss quite a
> lot of p2p packages upon my experience.

I suggested fair bandwidth sharing among hosts, which does not require
ipp2p. If most intranet hosts heavily use P2P, then I'm afraid this is
another problem.