hello guys i know that there is a million of example on how can i limit a tcp conntion per user but as everyone know everyone has a special rquest that want to meet his own configuration. so if anyone can give me an example on how can i limit the tcp connetion per ip to 5 connections for a specific range of ip let’s say 100.100.100.0/24 and let the other ranges without limitation.
and it’s not better to limit the tcp connection on input chain than forward chain ?
best regards
ip firewall filter action=accept chain=forward connection-limit=5,32 protocol=tcp src-address=192.168.1.0/24
Enjoy!
first thx for ur reply mate second i have to put accept or drop in action ? and what about tcp-flags?
best regards
Oh dua! hahah
Normally you would put in a drop, i.e. after 5 TCP connections, it would drop the rest. Don’t need the TCP SYN. Something else that you could do, is put in !80 on the DST port. This will allow as many DST 80 port connections as they can use. Great so that they don’t get “page can’t be displayed” messages.
thx mate again. what do u think about that rule:
chain=input;src-address=client address;protocol=tcp;connection limit=6,32;action=drop
best regards.
This will only work on input packets, i.e. packets destined for your router.
don’t u think this will be better? isn’t all requested TCP connection from my customers are getting in from the input chain? and it’s better to cut the road on TCP connection that execeed the limit before that get in the router?
Read up on how the chains work. Input is for packets that are going TO your router. That does not include connections flowing THOUGH your router, this is what the froward chain does.
The input is for packets that are going to communicate with your router, such as winbox. If your customers NAT or route though your router, the input chain will have no affect on them.
this is what the books and manual said but i believe in tests.
so i did a test for internet download manager and i’m wondering if u all do it and see by urself that the rule that limit TCP on forward do nothing to limit the IDM secions but when i just changed the chain to INPUT it work like a magic it limit the IDM secions to 6.
just try it on forward then on input chain and give me ur opinion plz
chain=INPUT;protocol=TCP;tcp-flags=SYNC;connection-limit=6.32;action=DROP
best regards
It shouldn’t be so. Add log rule and post log information here, then I will believe you.
If so, might be a bug. What version etc are you running on. The only other thought is that if he is forwarding in a IP, would that match the input rule, as the packets hit the interface with the public first then get forwarded in.
i’m using MT 2.9.27 licened and it works so great. and “mrz” why to put a logs to make u believe just try it by urself download something with download manager with 16 secions then pause it and put the filter on input chain then resume it. u will see that the sessions will be reduced to the connection limit that u put it on ur filter. all give this filter a try plz and give me ur opinion cz maybe i had a bug on my MT.
best regards.
I wanted logs, because there i can see in out interfaces and src, dst addresses. From this info it is possible to tell which chain it will be.
So if you have any dstnat rules then it will be input chain ( probaby as in your case ), otherwise it should be forward chain.
actually “mrz” yes i have a dst nat rule that redirect all 80 tcp port to 8082 (web proxy) is that make any different?
Ya, cause now the packets are hitting the external interface (input) to the router. Then it processes your rules and forwards them on.
Normally you would use forward for customers that don’t have foward rules like that.
so do u advice me to put 2 “TCP limit” filters one in INPUT chain and second in FORWARD chain?
and this some of this filter logs
(09:25:47 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:1a:92:e1:6a:63, proto TCP (SYN), 192.168.60.23:1198-
192.168.60.1:8082, len 48
09:25:47 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:1a:92:e1:6a:63, proto TCP (SYN), 192.168.60.23:1199-
192.168.60.1:8082, len 48
09:25:59 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:1a:92:e1:6a:63, proto TCP (SYN), 192.168.60.23:1200-
192.168.60.1:8082, len 48
09:25:59 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:1a:92:e1:6a:63, proto TCP (SYN), 192.168.60.23:1201-
192.168.60.1:8082, len 48
09:26:02 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:1a:92:e1:6a:63, proto TCP (SYN), 192.168.60.23:1201-
192.168.60.1:8082, len 48
09:26:02 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:1a:92:e1:6a:63, proto TCP (SYN), 192.168.60.23:1200-
192.168.60.1:8082, len 48
09:26:08 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:1a:92:e1:6a:63, proto TCP (SYN), 192.168.60.23:1201-
192.168.60.1:8082, len 48
09:26:08 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:1a:92:e1:6a:63, proto TCP (SYN), 192.168.60.23:1200-
192.168.60.1:8082, len 48
09:26:28 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:16:76:9a:36:ed, proto TCP (SYN), 192.168.60.40:1128-
192.168.60.1:8082, len 48
09:26:38 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:16:76:9a:36:ed, proto TCP (SYN), 192.168.60.40:1133-
192.168.60.1:8082, len 48
09:26:40 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:16:76:9a:36:ed, proto TCP (SYN), 192.168.60.40:1133-
192.168.60.1:8082, len 48
09:26:41 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:16:76:9a:36:ed, proto TCP (SYN), 192.168.60.40:1136-
192.168.60.1:8082, len 48
09:26:41 firewall,info Cient TCP Limit: Client TCP Limit input: in:Local
out:(none), src-mac 00:16:76:9a:36:ed, proto TCP (SYN), 192.168.60.40:1137-
192.168.60.1:8082, len 48 )
best regards
maybe mangle forward and input, and then limit connections on marked packets? =)