Hello folks…
I am currently using the following rules to limit outgoing connection from my customers to the internet, based on a port range…
chain=int2ext action=drop connection-state=new dst-port=1026-1862 protocol=tcp connection-limit=3,32
chain=int2ext action=drop connection-state=new dst-port=1864-3388 protocol=tcp connection-limit=3,32
chain=int2ext action=drop connection-state=new dst-port=3390-5899 protocol=tcp connection-limit=4,32
chain=int2ext action=drop connection-state=new dst-port=5906-65535 protocol=tcp connection-limit=6,32
(int2ext is just a custom chain to handle outgoing traffic)
This is working well… The problem is that some software like P2Ps usually connect to just 1 server and that server tells other hosts to connect on my customers’ IPs… Meaning, instead of outgoing it becomes incoming traffic… Then, my customer that can open only 6 connections end up with hundreds opened because they were opened the other way…
How can I limit incoming connections based on a /32 destination? Is that possible? I tried a few things and as far as I can tell, the limit is based on the source IP, no the destination one…
I dont want to fully block incoming syn packets… I want my customers to be accessible from the internet… I’d like that new connections, outgoing or incoming, both respect a certain number of established connections on that specific port range…
Any ideas?