This time a small entry about limiting the amount of connections. Let us assume that we have a router based on Linux, which is located in a small private LAN. As we all know in the residential network users have and use P2P. It generates an awful lot of calls at a very simple way you can view using the command
grep -v udp /proc/net/ip_conntrack|cut -c 12-|cut -d" " -f 2,3,4,5,6|sort -k 2,5/td>If the connection is broken for unknown reasons, in which case the entries on it are held by the module “conntrack” by default for 5 days, so therefore we will generate a gain unnecessary entries in the file and hence our router will slow down.
To avoid this, it is good to recompile the kernel by introducing into it the following amendment
./net/ipv4/netfilter/ip_conntrack_proto_tcp.cIt is worthwhile to look at parameters such as
ip_ct_tcp_timeout_close_wait
ip_ct_tcp_timeout_establishedFor example, we can set this up in such a way
unsigned long ip_ct_tcp_timeout_syn_sent = 2 MINS;
unsigned long ip_ct_tcp_timeout_syn_recv = 80 SECS;
unsigned long ip_ct_tcp_timeout_established = 1 HOURS;
unsigned long ip_ct_tcp_timeout_fin_wait = 1 MINS;
unsigned long ip_ct_tcp_timeout_close_wait = 50 SECS;
unsigned long ip_ct_tcp_timeout_last_ack = 20 SECS;
unsigned long ip_ct_tcp_timeout_time_wait = 4 MINS;
unsigned long ip_ct_tcp_timeout_close = 10 SECS;Of course, anyone can do it at their discretion and the needs arising from the operation of the network.
Regarding the “iptables” should simply limit the number of connections to high ports, we apply the rule “- REJECT” or “-DROP”, although personally I would recommend this case rather use “- DROP” because “- REJECT” notifies applications of P2P that the connection can not be obtained on what she immediately generate our next call, etc. while “- DROP” has to wait for the timeout
${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 1024:65535 -m connlimit --connlimit-above 20 -j DROP
