wiki:limitConnections

Version 2 (modified by niles, 2 years ago) (diff)

--

Limiting the number of connections from any one IP address

Thanks to Jennifer Spencer for referring me to the page :

https://access.redhat.com/solutions/396273

which essentially answers this question.

Sometimes a client will try very parallel downloads of SDO data, which can be problematic. As a result it can be useful to limit the number of connections from any one IP. To do this, edit the file :

 /etc/sysconfig/iptables

And add something like this :

 # Limit to 5 per IP on port 80
 -A RH-Firewall-1-INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j DROP

That limits the number of simultaneous connections from any one IP to 5.

Then restart iptables :

 # service iptables restart

Here is an example of that file :

# cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [378096909:36912540108]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
.
.
.
.
# Limit to 5 per IP on port 80
-A RH-Firewall-1-INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j DROP
.
.
.
.
COMMIT