Fedora Networking :: Limit Outbound TCP Connections To Single IP?
Oct 19, 2009
I'm having a problem that seems to plague a lot of people judging from my research on the web. I have a hosting provider that limits the number of incoming connections to the shared host to 50 per IP.
I have a single IP for outbound connections and I use Squid as a proxy server.
Lately I've tripped across the 50 connection limit frequently - and that's with only 1 user. It seems the problem is related to the performance you can get out of a desktop these days. Its not impossible to have several browsers open with several connections to different sites on the same server - and boom - locked out!
So it occurred to me that there must be some way to limit the number of outbound connections in the kernel - but I've not found it. I did find that Microsoft had been limiting the number of outbound connections in XP to 10 to address the virus problem, and I've found countless hosting complaints and dialog on the subject with no easy solution.
So my question is simply, does anyone know how to limit the number of OUTBOUND connections to a single IP in the kernel?
How to number of connections for a single ip on port 80 to CentOS 5.5 with iptables? connlimit did not work on CentOS and nginx does not provide a module for that
I have problem on VPS running opensuse. When I enable firewall outbound connections stop working. I have tried everything I know (not much when it comes to firewall (iptables)) but could not solve this.
I'm having an issue where a server in CA (1000/full) and in VA (100/full) have very lopsided data transfer.
CA -> VA with iperf shows ~20Mbps VA -> CA with iperf shows ~93Mbps
If we change the CA server to 100/FULL, transfer speed is 93Mbps both ways.
Some tuning was done to TCP window scaling parameters, but it won't correct the issue, just improve the CA -> VA numbers to what is listed above. I will say, turning TCP window scaling OFF will lower the transfer speed both ways to < 20Mbps.
The only clue I have when looking at wireshark dumps is that the window scale going OUT would never go past 10240 (scale is 8, so 2^8 x 40bytes). In the opposite direction, the window size will go above 3MB (scaled).
It is not a bandwidth problem as iperf with UDP shows 93Mbps both ways. Local transfers (CA 1000/full to CA 100/full) show full speed both ways, so I feel it is strictly related to TCP window scaling.
RedHat 5 64-bit on both sides. Any ideas why it won't scale above 10240?
(centos 5.5 86*64 with cpanel) I am trying to set up a php script.
The script requires an outbound connection to project honeypot and when I go to the honeypot.php on my server I get an error asking if outbound connections are disabled.
They could be...I am not sure where to check, I have checked csf and outbound tcp is allowed on port 80, but I am not sure if I should be looking somewhere else.
Obviously I dont want to make the server insecure, so I am wondering how I can allow this outbound connection.
I want to prevent code from making http connections to other, specific hosts. My understanding is this can be done in /etc/hosts.deny. What would that look like?
Is it possible to do limit the SSH connections using IPTABLES, like per day minimum 10 times only ssh connections can allow like that, or any other way to limit the SSH connections.
I need to limit the number of ssh connections a user has. All the users are using tunnel only so their shell is set to /sbin/nologin The logins do not open a shell they just create the tunnel so /etc/security/limits.conf has no effect on them at all.
I tried setting 'MaxSessions 1' in sshd_config but either that doesn't not do what I expect it to or it plain does not work as even with a normal user I was able to open an unlimited number of sessions. I need a good secure way to limit each user to 1 ssh session without them having a shell but Im unable to find a solution.
except is there is a way to enhance mod_limitipconn.c to ensure that apart from restricting one connection allowed from a given IP, also set so that an IP can only connect on every set interval ?e.g.restrict the number of connections from a given source IP to say once every 5 minutes or so?if not mod_limitipconn.c, any other mechanism to do the expected result?
Looking at the output of netstat, I'm not seeing a definitive way to tell which torrent connections are clients reaching in to my machine vs my machine reaching out to the world. Is there a clear way to determine which is which?
apache virtual host to limit the concurrent connections of virtual hosts? Taking into account the host of each virtual user's home directory can also have more than one subdirectory, which should be restricted to a subdirectory. Is beyond the control of the operation of these sites in a subdirectory. Best local restrictions or limitations to the overall situation.
Is there a way to configure my interface to promisc mode and also make it not capture the "transmitted" packets. ?I mean, i want the interface in Promisc mode but only for inbound traffic.If there isnt any using ifconfig, can it be by configuring eth0 to promisc using ifconfig , and filtering outbound traffic from being captured using sockets or something ?
I recently installed Fedora 15 now, and during installation I set the internet connection manually, then did update and after reboot, the internet connection settings have been removed. Now I can not set because the network connection to the Internet Connection is inactive. I mention that before the update was functional internet connection.
I've read up some of the posts on this forum, but can't seem to find an answer. I have a web service within an Apache Tomcat instance installed on a Redhat linux server. I only have shell access to the server, and need to monitor outbound network traffic from my web service. Is there a unix command that will allow me to monitor all outbound traffic? I'm thinking fiddler, but a unix version? I've heard of things like ntop and iptraf, but I don't think those will help me in this instance.
I just installed Fedora 14 in a hard disk of my PC. I installed MySQL also. I dontt know if this is the correct site for my question, but nobody MySQL related, have an answer yet. For MySQL accepting remote connections, my.cnf file must be edited (bind-address line or skip-networking line in that file). Well, that file in my Fedora-MySQL installation does not have such lines, so i assume, TCP/IP connections are allowed in MySQL. When i try to connect to the MySQL server it refuses the connection with the error 2003, that in short, means no TCP/IP connections are allowed. I disabled the firewall and retried but with no success, enabled the firewall again, and nothing happen. Is Fedora not accepting TCP/IP connections?
once I updated , there will be no connections to Internet in GUI , while it's available in TUI . So it's wired , huh ? Before upating, it's available both in TUI and GUI, though all the time the network-manager shows no connection , in fact , there is and both GUI and CUI . Now I updated , and it can't access Internet from GUI.
Latest kernel update since Fedora 2.6.33 are mapping all my NFS "shares" twice (two sets of icons, etc.). All work, but why is this happening - was fine previously.
ok so the router works in windows and i know the config details of it.i can see other wifi access points in the area but not my one. i have tried joining it as a "hidden network" to no avail.is there any reason why fedora would not detect my own wifi when it detects substantially weaker signals instead??
Tried google and searching this forum to no avail. Under Fedora 14, there is an selinux policy which blocks sshd from making outbound connections on port 80 or 443. This can occur when a client box tries to tunnel through the ssh connection for encrypted access to the web.
While I did manage to allow this happen by creating a permissive domain for sshd with this command:
Code:
The preferred way would be to allow sshd to make connection on other ports with a similar command that does not seem to work:
Code:
Is this the correct way of allowing an outbound port connection for the sshd daemon?
I have a question, regarding the use of two internet connection on the same server. So, the thing is like this: The server will have 3 network adapters: connected to a DSL modem (on this adapter I have one of the internet connections, a PPPoE connection. It's only purpose is to share the internet connection to all LAN users using SNAT.
eth1 ----> the other internet connection, a much more expensive one actually, used for hosting a website, a domain name server, and a qmail server. eth2 ----> LAN connection So what I want is to make eth1 the "default gateway" (for outgoing mail, DNS requests, etc) and, as I said, use the ppp0 connection on eth0 only for internet sharing in LAN.
My question is (since I'l configure this server in about one week), does anybody have any suggestions regarding how could I accomplish this? I mean, I'm affraid that ppp0 will also try to use the default gateway from the other internet connection and vice-versa. Now, I know I can use the ip route/ip rule commands, but for many reasons I'd like to keep it simple and not use them.
On a Fedora 11 machine, I configured ppp0 on eth0 and ppp1 on eth1, each one is connected to a modem, I also defined ppp0 as the default gateway.. Should I do anything else to load balance the 2 connections or will ppp1 take some of the load by default? Should I add any other routing rules? If yes then please tell me what should I add, keeping in mind that for each pppoe connection both the pppoe address and the remote address are not static so I actually needed some scripting to change the default gateway each time the remote pppoe address changes.
I have two internet connections. One is wired ADSL Broadband & another is USB EVDO modem. I can use only one source at a time. That means the traffic will pass through either ADSL or EVDO. Other connection just sits idle. I want to use both the connections together so that I will have increased bandwidth. Is there a way to do that?
My computer has one NIC card. Both ADSL & EVDO use dynamic IPs.
Just moved over from the dark side (Vista) and was wondering how I can get two (or more) PPTP VPNs connected at any given time. I usually attempt to multi task (although swambo says I can't) and work on various clients' servers at the same time. The GUI network manager thingy only allows me to dial up one VPN at a time. Is there perhaps a cli version and if so where would I go to get a tutorial on this please. BTW, running F11 32bit. Tried Debian and Ubuntu as well and found F11 to blindingly fast on my DualCore Toshiba laptop. Pity I can't see the additional 1Gb of RAM though. (4Gb in total).
have a problem with my network-manager in ubuntu 10.10.when I dial one of my vpn connections, my other vpn connections be disabled and I can't use them!I tried to restart network-manager and gnome-panel, but it does't seem to solve this problem.
[bee@localhost ~]$ ulimit -a | grep files open files (-n) 1024
that open files value set to 1024, but is it valid only for real files ("file handles/descriptors" of files on your filesystems: hd partitions / cdrom / floppy / usb devices) or does it counts also network/sockets connections? i'm just asking without a reason. it's just curiosity ... as you can see sockets with lsof, somebody like me could think connections are counted as they were "files" by ulimit too
I got 2 ADSL accounts from a provider, so I decided to configure a server as a gateway for my other PCs.. I created ppp0 device using pppoe-setup over eth0. Then I configured the second one as ppp1 over eth2 to the second modem.. When I finished, I used ifconfig to check the settings and I got only ppp0 and didn't see ppp1, I tried to ifup ppp1 but I still get one device with ifconfig.. The adsl-start command starts only ppp0.What should I do to get the 2 lines to work simultaneously?Are there any configuration files that need to be edited?
My current network setup at home is all wired, and that's worked for me so far. Now I want to set up a wireless connection on my Linux box that I can connect to with both my laptop and my Nintendo DS. I'd like to be able to host a wireless network from the Linux box, connect to it with some other wireless device, and have the wireless device communicate with the router, the internet, and other computers on the wired network. I have the wired network set up (statically configured) as eth0. Other network adapters present on the system are eth1 (not in use) and wlan0, wlan1, and wlan2 (identical cards, remnants from the last time I experimented with wireless).
So I guess my question comes in two parts: 1) How do I set up wlan0 such that it can host? Is Ad-hoc mode okay for this, or do I need to set it up in Master mode? 2) How do I forward connections between the wireless net and the router? Note that I will be using WEP, as it is all that the NDS supports. I'd like to set up MAC filtering as well, but not until after I get something that works.
I want to write a custom rule to allow all connections to the ip addresses on my local network (192.168.2.2 through ...99) but I don't know how. I know adding a custom rule asks me to read a file and put it in "iptables" format, but I don't know how...
