are there any way to make limit of total connections by IP?

@math:

Hello, are there any way to make limit of total connections by IP on port 80 :?: using iptables

Iam using Linode with LAMP stack Centos 6.5,

with prefork apache module works with below settings, but I think its iptable issue not apache.

 <ifmodule prefork.c="">StartServers       8
MinSpareServers    8
MaxSpareServers   15
#ServerLimit      256
MaxClients        200
MaxRequestsPerChild  3000</ifmodule> 

thanks and regards

How big is your linode? 200 is way too high of a MaxClients in prefork unless you have a huge amount of RAM

@glg:

How big is your linode? 200 is way too high of a MaxClients in prefork unless you have a huge amount of RAM
my VPS ram is: 16G and values now using #free -m

[root@li453-144 ~]# free -m
             total       used       free     shared    buffers     cached
Mem:         16048      15209        838          0        377       3345
-/+ buffers/cache:      11486       4561
Swap:         8511        124       8387

regards

Check out the connlimit module for iptables. Something like the following would limit each IP to 5 simultaneous connections. Note that many browsers will open multiple connections to download graphics, etc. so setting the limit too low will cause problems for those users.

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j REJECT

@Vance:

Check out the connlimit module for iptables. Something like the following would limit each IP to 5 simultaneous connections. Note that many browsers will open multiple connections to download graphics, etc. so setting the limit too low will cause problems for those users.

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j REJECT

Thank you very much for help

yes thats right, will try to adjustment the connection limit…

best regards

hello, when applying iptable connlimit,

I get an issue with kernel version (Latest 64 bit (3.19.1-x8664-linode53)), CONFIGNETFILTERXTMATCH_CONNLIMIT=y, CentOS 6.6.

output message is:

iptables: Protocol wrong type for socket.

how can I fix it?,please help

Can you post the actual command you used?

Thanks.

Thank you very much for help,

yes its like below

# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset
iptables: Protocol wrong type for socket.

also I do check with all avaliable "3.xx.x-x86_64" kernels in linode manager (I do switching between them, then reboot my linode, then testing iptables connlimit command) but all gives me same result with same message:

"iptables: Protocol wrong type for socket."

thanks and regards

Hmm, I'd suggest trying the stock CentOS kernel: https://www.linode.com/docs/tools-refer … -and-newer">https://www.linode.com/docs/tools-reference/custom-kernels-distros/run-a-distributionsupplied-kernel-with-pvgrub#centos-6-and-newer

If that doesn't work, you'll be able to file a bug with CentOS. With the config option you noted, I don't know why the Linode kernel isn't working, but the CentOS devs probably won't respond if you're not using their kernel.

Dear Vance

Thank you very much for help,I get its method that "using PV-GRUB in current profile", and sure will test it,

regards
@Vance:

Hmm, I'd suggest trying the stock CentOS kernel: https://www.linode.com/docs/tools-refer … -and-newer">https://www.linode.com/docs/tools-reference/custom-kernels-distros/run-a-distributionsupplied-kernel-with-pvgrub#centos-6-and-newer

If that doesn't work, you'll be able to file a bug with CentOS. With the config option you noted, I don't know why the Linode kernel isn't working, but the CentOS devs probably won't respond if you're not using their kernel.

Thank you very much for help,

its works fine now using centos kernel, with pvgrub.

best regards.

@Vance:

Hmm, I'd suggest trying the stock CentOS kernel: https://www.linode.com/docs/tools-refer … -and-newer">https://www.linode.com/docs/tools-reference/custom-kernels-distros/run-a-distributionsupplied-kernel-with-pvgrub#centos-6-and-newer

If that doesn't work, you'll be able to file a bug with CentOS. With the config option you noted, I don't know why the Linode kernel isn't working, but the CentOS devs probably won't respond if you're not using their kernel.

Glad it is working for you.

Are there any obvious differences in the CONFIG_NETFILTER options between the Linode kernel and the CentOS one? Just curious, you may want to let Linode know.

yes sure, the output of kenel (2.6.32-504.16.2.el6.x86_64) configs

# grep -i "CONFIG_NETFILTER" /usr/src/kernels/2.6.32-504.16.2.el6.x86_64/.config

is the following values…

but the value of "CONFIGNETFILTERXTMATCHCONNLIMIT=m"!!.

CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
# CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT is not set
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XT_MATCH_OSF=m

hope this output info be useful ..

thank you very much and regards…

@Vance:

Glad it is working for you.

Are there any obvious differences in the CONFIG_NETFILTER options between the Linode kernel and the CentOS one? Just curious, you may want to let Linode know.

I get an issue with kernel version (Latest 64 bit (3.19.1-x8664-linode53)), CONFIGNETFILTERXTMATCH_CONNLIMIT=y, CentOS 6.6.