Hi,
some time I try to do this but for me it is not possible, I need to limit number of TCP connections to destination hosts from one local (source IP), example:
source IP: 192.168.1.10
I want to allow 5 connections from this IP to any IP, in total it can be 1000 connections or more if this user try to connect to 200 hosts and with five connections to all of them, five connections to 1.1.1.1, five connections to 2.2.2.2, five connections to 3.3.3.3 but is not possible to have six connections to 3.3.3.3 or any other IP but in parallel must be possible to have five connections to 1.1.1.1 and five connections to 2.2.2.2 etc.
I hope that you can understand what I need, I know how to limit in firewall for example five connections in total from some source IP but this is not what I need!
See the NAT Wiki using the connection-limit option - a bit of syntax explanation can be found in this thread.
May take some tinkering to get exactly what you want and using a multitude of rules you should be able to set rules
dst-address 0.0.0.0/0 with connection-limit=5,32 meaning it only allows 5 connections to any IP out in the wild
AND
src-address with connection-limit=1000,32 so it allows that one client to have up to 1000 connections open (but first rule should limit it to 5 for a single dst-address).
I’ve never used this command, this is just what I found with a quick google - it may not work with dst-addresses and may only be able to limit based on src-address, and you’ll likely have to use other matches to get it working right but this should give you a start.
If I set dst-address 0.0.0.0/0 and src-address user IP and connection-limit=5,32 look like it limit src-address to 5 connections in total but I need it to limit 5 connections to any IP, in total it can be 100 connections but max 5 to one ip!