Limiting TCP, where is my mistake ?

Cartman · May 25, 2011, 12:32pm

Hello forum,

I try to limit the amount of TCP connections per hotspot user to 100.
This forum and MT wiki say, this rule does this :

chain=forward action=drop protocol=tcp connection-limit=100,32

What it should do :
In chain “forward” drop all tcp-packets for one client (32) who already has 100 tcp-connections.

Right now there is one user with 265 “established” TCP connections and some other (syn, wait, etc), and of course thousands of UDP “connections”

The statistics of this rule show nothing.

What do I do wrong ?
Can I limit the UDP streams/ports too ?

ROS is 4.11 on RB1000

mrz · May 25, 2011, 12:43pm

You have to allow 100 connections and drop the rest. So you need two rules.

Cartman · May 25, 2011, 1:39pm

I think the default is, that everything that is not dropped, is allowed.
There are >200 connections without having a rule to allow them.

Maybe you can post the correct rules ?

Cartman · May 27, 2011, 8:21am

I have the following rules now :

10   chain=forward action=accept protocol=tcp connection-limit=100,32 

11   chain=forward action=drop protocol=tcp connection-limit=100,32 

12   chain=forward action=reject reject-with=icmp-network-unreachable 
     p2p=all-p2p protocol=tcp connection-limit=5,32

What it should do :

accept the first 100 TCP-connections
drop the rest
limit p2p connectione to 5 per user

Right now, one user has 18 p2p (bittorrent)
120 TCP, 47 UDP

Problems are :

many people can not use skype
at time of high traffic, some basic protocols like DHCP etc can not connect, because there are no connections available.
external loadbalancer is limited to 40000 simultanious sessions (in theory, CPU limit is less)
a P2P user uses 2200 to 2500 open sessions, and there are too many of them

I tried to fix this by setting up priorities, but also this does not work. It is taken from a script to a TikTube video :

Mangle :

0   chain=prerouting action=accept protocol=tcp dst-port=110 
     packet-mark=Download_services 

 1   chain=prerouting action=accept protocol=tcp dst-port=995 
     packet-mark=Download_services 

 2   chain=prerouting action=mark-packet new-packet-mark=Download_services 
     passthrough=yes protocol=tcp dst-port=143 

 3   chain=prerouting action=mark-packet new-packet-mark=Download_services 
     passthrough=yes protocol=tcp dst-port=993 

 4   chain=prerouting action=mark-packet new-packet-mark=Download_services 
     passthrough=yes protocol=tcp dst-port=25 

 5   chain=prerouting action=mark-packet new-packet-mark=Download_services 
     passthrough=yes protocol=tcp dst-port=80 connection-bytes=500000-0 

 6   chain=prerouting action=mark-packet new-packet-mark=Download_services 
     passthrough=yes protocol=tcp dst-port=20 

 7   chain=prerouting action=mark-packet new-packet-mark=Download_services 
     passthrough=yes protocol=tcp dst-port=21 

 8   chain=prerouting action=mark-packet new-packet-mark=Download_services 
     passthrough=yes protocol=tcp dst-port=22 packet-size=1400-1500 

 9   chain=prerouting action=mark-packet new-packet-mark=P2P_services 
     passthrough=yes p2p=all-p2p 

10   chain=prerouting action=mark-packet new-packet-mark=Ensign_services 
     passthrough=yes protocol=tcp dst-port=53 

11   chain=prerouting action=mark-packet new-packet-mark=Ensign_services 
     passthrough=yes protocol=udp dst-port=53 

12   chain=prerouting action=mark-packet new-packet-mark=Ensign_services 
     passthrough=yes protocol=icmp 

13   chain=prerouting action=mark-packet new-packet-mark=Ensign_services 
     passthrough=yes protocol=tcp dst-port=443 

14   chain=prerouting action=mark-packet new-packet-mark=Ensign_services 
     passthrough=yes protocol=tcp dst-port=23 

15   chain=prerouting action=mark-packet new-packet-mark=Ensign_services 
     passthrough=yes protocol=tcp dst-port=22 packet-size=0-1400 

16   chain=prerouting action=mark-packet new-packet-mark=Ensign_services 
     passthrough=yes protocol=tcp dst-port=80 connection-bytes=0-500000 

17   chain=prerouting action=accept packet-mark=User_requests

Queues :

 0   name="Prio 1" parent=global-in packet-mark=Ensign_services limit-at=0 queue=default priority=1 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s 

 1   name="Prio 3" parent=global-in packet-mark=User_requests limit-at=0 queue=default priority=3 max-limit=0 burst-limit=0 
     burst-threshold=0 burst-time=0s 

 2   name="Prio 7" parent=global-in packet-mark=Download_services limit-at=0 queue=default priority=7 max-limit=0 
     burst-limit=0 burst-threshold=0 burst-time=0s 

 3   name="Prio 8" parent=global-out packet-mark=P2P_services limit-at=1k queue=default priority=8 max-limit=2k 
     burst-limit=0 burst-threshold=0 burst-time=0s

Any hints ?