Hi everyone! I'm trying to recover an old feature of our previous gateway (a non-clearOS system "hand made") that features were surprisingly usefull to limit the P2P usage of our network. As some of you already know, I have a really limited bandwidth (10mb dwn / 10mb up) with a lot of users (around 150-200) and I can't block anything because they spend here almost all the year and this is the only place they have to enjoy an "open" internet. Also you must understand that monitoring 24h what they do and aware those who abuse of the bandwidth is not an option, because if I do that, I would be going 24h from house to house...
So what we did in the pre-clearOS era was to limit the number of simultaneous connections a user can establish to around 100. With this, made 100% with iptables, if someone launch a P2P software poorly configured he will not be able to browse anything or do anything more until he close the software. Also as a security measure we had a speed limit to ensure that nobody monopolizes the bandwidth.
Right now I have QoS and it's doing a great job, but I want to recover those functions because that improved a lot the general health of the network. I know that bandwidth manager can't be enabled with QoS on, so I want to know if there is a way of doing this manually with the custom firewall.
About our connections limit I have this:
But I think that it's not doing its job... Is there any iptables guru who can help me a little with this?
note: I don't know the original rules because in that time the network manager wasn't me and the person in charge is not here anymore... Also I know I can just use the protocol filter but as you may know some P2P like torrents can elude filters.
UPDATE: Today I've found the "hashlimit" module (I'm a total noob with iptables...). I've seen some examples of people limiting packets for INCOMING connections but there is an example of a user with a gateway trying to achieve the same thing than me:
I don't know if this would broke my system and right now I have too much users online, so I will try it later tonight. Any advice would be very helpful, thanks!
So what we did in the pre-clearOS era was to limit the number of simultaneous connections a user can establish to around 100. With this, made 100% with iptables, if someone launch a P2P software poorly configured he will not be able to browse anything or do anything more until he close the software. Also as a security measure we had a speed limit to ensure that nobody monopolizes the bandwidth.
Right now I have QoS and it's doing a great job, but I want to recover those functions because that improved a lot the general health of the network. I know that bandwidth manager can't be enabled with QoS on, so I want to know if there is a way of doing this manually with the custom firewall.
About our connections limit I have this:
iptables -I FORWARD -m iprange --src-range 192.168.1.5-192.168.2.250 -m connlimit --connlimit-above 100 -j DROPBut I think that it's not doing its job... Is there any iptables guru who can help me a little with this?
note: I don't know the original rules because in that time the network manager wasn't me and the person in charge is not here anymore... Also I know I can just use the protocol filter but as you may know some P2P like torrents can elude filters.
UPDATE: Today I've found the "hashlimit" module (I'm a total noob with iptables...). I've seen some examples of people limiting packets for INCOMING connections but there is an example of a user with a gateway trying to achieve the same thing than me:
iptables -A FORWARD -m hashlimit --hashlimit-name limit1 --hashlimit-htable-size 4096 --hashlimit-htable-expire 60000 --hashlimit-srcmask 32 --hashlimit-mode srcip --hashlimit-upto 100/sec -j ACCEPTI don't know if this would broke my system and right now I have too much users online, so I will try it later tonight. Any advice would be very helpful, thanks!
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »