Linode Forum
https://forum.linode.com/

are there any way to make limit of total connections by IP?
https://forum.linode.com/viewtopic.php?f=19&t=11753		 Page 1 of 1
Author:  math [ Sat Apr 18, 2015 4:48 am ]
Post subject:  are there any way to make limit of total connections by IP?
Hello, are there any way to make limit of total connections by IP on port 80 :?: using iptables
Iam using Linode with LAMP stack Centos 6.5,
with prefork apache module works with below settings, but I think its iptable issue not apache.
Code:
<IfModule prefork.c>
StartServers       8
MinSpareServers    8
MaxSpareServers   15
#ServerLimit      256
MaxClients        200
MaxRequestsPerChild  3000
</IfModule>

thanks and regards
Author:  glg [ Sat Apr 18, 2015 4:23 pm ]
Post subject:  Re: are there any way to make limit of total connections by
math wrote:
Hello, are there any way to make limit of total connections by IP on port 80 :?: using iptables
Iam using Linode with LAMP stack Centos 6.5,
with prefork apache module works with below settings, but I think its iptable issue not apache.
Code:
<IfModule prefork.c>
StartServers       8
MinSpareServers    8
MaxSpareServers   15
#ServerLimit      256
MaxClients        200
MaxRequestsPerChild  3000
</IfModule>

thanks and regards


How big is your linode? 200 is *way* too high of a MaxClients in prefork unless you have a huge amount of RAM
Author:  math [ Sat Apr 18, 2015 8:27 pm ]
Post subject:  Re: are there any way to make limit of total connections by
glg wrote:
How big is your linode? 200 is *way* too high of a MaxClients in prefork unless you have a huge amount of RAM

my VPS ram is: 16G and values now using #free -m
Code:
[root@li453-144 ~]# free -m
             total       used       free     shared    buffers     cached
Mem:         16048      15209        838          0        377       3345
-/+ buffers/cache:      11486       4561
Swap:         8511        124       8387


regards
Author:  Vance [ Sat Apr 18, 2015 10:27 pm ]
Post subject:  Re: are there any way to make limit of total connections by
Check out the connlimit module for iptables. Something like the following would limit each IP to 5 simultaneous connections. Note that many browsers will open multiple connections to download graphics, etc. so setting the limit too low will cause problems for those users.
Code:
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j REJECT
Author:  math [ Sun Apr 19, 2015 5:06 am ]
Post subject:  Re: are there any way to make limit of total connections by
Vance wrote:
Check out the connlimit module for iptables. Something like the following would limit each IP to 5 simultaneous connections. Note that many browsers will open multiple connections to download graphics, etc. so setting the limit too low will cause problems for those users.
Code:
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j REJECT


Thank you very much for help
yes thats right, will try to adjustment the connection limit...
best regards
Author:  math [ Sun May 03, 2015 9:14 pm ]
Post subject:  Re: are there any way to make limit of total connections by IP?
hello, when applying iptable connlimit,
I get an issue with kernel version (Latest 64 bit (3.19.1-x86_64-linode53)), CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y, CentOS 6.6.
output message is:
iptables: Protocol wrong type for socket.
how can I fix it?,please help
Author:  virtualsid [ Sun May 03, 2015 9:41 pm ]
Post subject:  Re: are there any way to make limit of total connections by IP?
Can you post the actual command you used?

Thanks.
Author:  math [ Mon May 04, 2015 12:49 am ]
Post subject:  Re: are there any way to make limit of total connections by IP?
Thank you very much for help,
yes its like below
Code:
# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset
iptables: Protocol wrong type for socket.

also I do check with all avaliable "3.xx.x-x86_64" kernels in linode manager (I do switching between them, then reboot my linode, then testing iptables connlimit command) but all gives me same result with same message:
"iptables: Protocol wrong type for socket."
thanks and regards
Author:  Vance [ Tue May 05, 2015 2:38 am ]
Post subject:  Re: are there any way to make limit of total connections by IP?
Hmm, I'd suggest trying the stock CentOS kernel: https://www.linode.com/docs/tools-refer ... -and-newer

If that doesn't work, you'll be able to file a bug with CentOS. With the config option you noted, I don't know why the Linode kernel isn't working, but the CentOS devs probably won't respond if you're not using their kernel.
Author:  math [ Tue May 05, 2015 6:27 am ]
Post subject:  Re: are there any way to make limit of total connections by IP?
Dear Vance
Thank you very much for help,I get its method that "using PV-GRUB in current profile", and sure will test it,
regards
Vance wrote:
Hmm, I'd suggest trying the stock CentOS kernel: https://www.linode.com/docs/tools-refer ... -and-newer

If that doesn't work, you'll be able to file a bug with CentOS. With the config option you noted, I don't know why the Linode kernel isn't working, but the CentOS devs probably won't respond if you're not using their kernel.
Author:  math [ Thu May 07, 2015 4:53 am ]
Post subject:  Re: are there any way to make limit of total connections by IP?
Thank you very much for help,
its works fine now using centos kernel, with pvgrub.
best regards.


Vance wrote:
Hmm, I'd suggest trying the stock CentOS kernel: https://www.linode.com/docs/tools-refer ... -and-newer

If that doesn't work, you'll be able to file a bug with CentOS. With the config option you noted, I don't know why the Linode kernel isn't working, but the CentOS devs probably won't respond if you're not using their kernel.
Author:  Vance [ Fri May 08, 2015 2:58 am ]
Post subject:  Re: are there any way to make limit of total connections by IP?
Glad it is working for you.

Are there any obvious differences in the CONFIG_NETFILTER options between the Linode kernel and the CentOS one? Just curious, you may want to let Linode know.
Author:  math [ Mon May 11, 2015 6:04 pm ]
Post subject:  Re: are there any way to make limit of total connections by IP?
yes sure, the output of kenel (2.6.32-504.16.2.el6.x86_64) configs
Code:
# grep -i "CONFIG_NETFILTER" /usr/src/kernels/2.6.32-504.16.2.el6.x86_64/.config

is the following values...
but the value of "CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m"!!.
Code:
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
# CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT is not set
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XT_MATCH_OSF=m



hope this output info be useful ..
thank you very much and regards...

Vance wrote:
Glad it is working for you.

Are there any obvious differences in the CONFIG_NETFILTER options between the Linode kernel and the CentOS one? Just curious, you may want to let Linode know.
Author:  ssula [ Tue Jun 09, 2015 12:44 am ]
Post subject:  Re: are there any way to make limit of total connections by IP?
I get an issue with kernel version (Latest 64 bit (3.19.1-x86_64-linode53)), CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y, CentOS 6.6.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/