On Wed, 23 Aug 2006 18:31:23 +0200, Frank <(E-Mail Removed)> wrote:
>Hi,
>
>How can I limit the number of TCP connections that can be served per NAT
> (masquerade) host?
>Some induviduals on our network tend to p2p like hell.
>
>
>Regards,
>
>
>Frank
Probably what you want is a combination of MATCH RECENT and CONNLIMIT
in the FORWARD chain of iptables. In comp.os.linux.security you will
find much about limiting SSH and the same applies for any service or
connection. However, with p2p you can't select by port, so you may
need to look into Layer 7 methods that track p2p.
I use RECENT and CONNLIMIT for FTP, SSH and SMTP but not HTTP because
limiting HTTP causes Apache to fill my logs with 408 timeout messages.
I just DROP file sharing packets because that's "play" and company
policy is to allow only business use of its net connection.
--
buck
|
Similar Threads
Linear Mode
