iptables and connection limit

[jasonnix]

Hello,
I have a shadowsocks proxy running on port 1080 and I want only two IP addresses to be able to connect to this port at the same time. I used the following rule:

Code: Select all

# iptables -A INPUT -p tcp --dport 1080 -m connlimit --connlimit-above 2 --connlimit-mask 0 -j REJECT

But, it didn't work. No one can connect to shadowsocks proxy and use the internet. Any idea?

Thank you.

[C4H7Cl2O4P]

1) iptables -L

2) Why do you use "--connlimit-mask 0" ?
https://www.linuxquestions.org/question ... 175538254/

[jasonnix]

1) iptables -L

2) Why do you use "--connlimit-mask 0" ?
https://www.linuxquestions.org/question ... 175538254/

Hi,
Thanks.
1- My only iptables rule is the one I wrote above.

2- I also used --connlimit-mask 32, but the result is the same. I think this command is based on session and not IP address. When I change the number 2 to 20, the client can access the Internet through the proxy.

[C4H7Cl2O4P]

2- I also used --connlimit-mask 32, but the result is the same.

I guess you don't need --connlimit-mask in your rule.

... I think this command is based on session and not IP address. ...

Why do you think so ?

When I change the number 2 to 20, the client can access the Internet through the proxy.

What does netstat tell you ?

[lindi]

2- I also used --connlimit-mask 32, but the result is the same.

I guess you don't need --connlimit-mask in your rule.

... I think this command is based on session and not IP address. ...

Why do you think so ?

When I change the number 2 to 20, the client can access the Internet through the proxy.

What does netstat tell you ?

I think the more relevant connection list can be seen with

Code: Select all

conntrack -L

Also netstat has been replaced by

Code: Select all

ss

in the default installation.

[jasonnix]

2- I also used --connlimit-mask 32, but the result is the same.

I guess you don't need --connlimit-mask in your rule.

... I think this command is based on session and not IP address. ...

Why do you think so ?

When I change the number 2 to 20, the client can access the Internet through the proxy.

What does netstat tell you ?

Hello,
I removed --connlimit-mask from my rule:

Code: Select all

# iptables -A INPUT -p tcp --syn --dport 7070 -m connlimit --connlimit-above 1 --connlimit-daddr -j REJECT
#
# iptables-save 
# Generated by iptables-save v1.8.9 (nf_tables) on Sat Feb 17 11:38:57 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 7070 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 1 --connlimit-mask 32 --connlimit-daddr -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sat Feb 17 11:38:57 2024

And:

Code: Select all

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:7070 flags:FIN,SYN,RST,ACK/SYN #conn dst/32 > 1 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

I changed the port to 7070. The ss command tells:

Code: Select all

# ss -tupln
Netid   State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port   Process                              
udp     UNCONN   0        0                0.0.0.0:68             0.0.0.0:*       users:(("dhclient",pid=495,fd=7))   
udp     UNCONN   0        0                0.0.0.0:68             0.0.0.0:*       users:(("dhclient",pid=494,fd=7))   
tcp     LISTEN   0        128              0.0.0.0:22             0.0.0.0:*       users:(("sshd",pid=599,fd=3))       
tcp     LISTEN   0        4096           127.0.0.1:9050           0.0.0.0:*       users:(("tor",pid=604,fd=6))        
tcp     LISTEN   0        128                 [::]:22                [::]:*       users:(("sshd",pid=599,fd=4))       
tcp     LISTEN   0        4096                   *:7070                 *:*       users:(("v2ray",pid=683,fd=7))    

What is your opinion?

[C4H7Cl2O4P]

Code: Select all

# ss -tupln
Netid   State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port   Process                              
udp     UNCONN   0        0                0.0.0.0:68             0.0.0.0:*       users:(("dhclient",pid=495,fd=7))   
udp     UNCONN   0        0                0.0.0.0:68             0.0.0.0:*       users:(("dhclient",pid=494,fd=7))   
tcp     LISTEN   0        128              0.0.0.0:22             0.0.0.0:*       users:(("sshd",pid=599,fd=3))       
tcp     LISTEN   0        4096           127.0.0.1:9050           0.0.0.0:*       users:(("tor",pid=604,fd=6))        
tcp     LISTEN   0        128                 [::]:22                [::]:*       users:(("sshd",pid=599,fd=4))       
tcp     LISTEN   0        4096                   *:7070                 *:*       users:(("v2ray",pid=683,fd=7))    

What is your opinion?

No connection installed.

Code: Select all

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:7070 flags:FIN,SYN,RST,ACK/SYN #conn dst/32 > 1 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

What is your opinion?

REJECT TCP traffic from ANYWHERE to ANYWHERE through port 7070 with reason ICMP-PORT-UNREACHABLE

[Hallvor]

Try this: Allow the two IPs

Code: Select all

# iptables -A INPUT -p tcp --dport 1080 -s <IP_Address1> -j ACCEPT
# iptables -A INPUT -p tcp --dport 1080 -s <IP_Address2> -j ACCEPT

Only allow two connections to port 1080, reject everything else:

Code: Select all

# iptables -A INPUT -p tcp --dport 1080 -m connlimit --connlimit-above 2 -j REJECT

[jasonnix]

Code: Select all

# ss -tupln
Netid   State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port   Process                              
udp     UNCONN   0        0                0.0.0.0:68             0.0.0.0:*       users:(("dhclient",pid=495,fd=7))   
udp     UNCONN   0        0                0.0.0.0:68             0.0.0.0:*       users:(("dhclient",pid=494,fd=7))   
tcp     LISTEN   0        128              0.0.0.0:22             0.0.0.0:*       users:(("sshd",pid=599,fd=3))       
tcp     LISTEN   0        4096           127.0.0.1:9050           0.0.0.0:*       users:(("tor",pid=604,fd=6))        
tcp     LISTEN   0        128                 [::]:22                [::]:*       users:(("sshd",pid=599,fd=4))       
tcp     LISTEN   0        4096                   *:7070                 *:*       users:(("v2ray",pid=683,fd=7))    

What is your opinion?

No connection installed.

Code: Select all

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:7070 flags:FIN,SYN,RST,ACK/SYN #conn dst/32 > 1 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

What is your opinion?

REJECT TCP traffic from ANYWHERE to ANYWHERE through port 7070 with reason ICMP-PORT-UNREACHABLE

Hello,
As I said, no one can connect to the server. How can I solve it?

[jasonnix]

Try this: Allow the two IPs

Code: Select all

# iptables -A INPUT -p tcp --dport 1080 -s <IP_Address1> -j ACCEPT
# iptables -A INPUT -p tcp --dport 1080 -s <IP_Address2> -j ACCEPT

Only allow two connections to port 1080, reject everything else:

Code: Select all

# iptables -A INPUT -p tcp --dport 1080 -m connlimit --connlimit-above 2 -j REJECT

Hello,
Thank you so much for your your reply.
Your rules don't apply in my scenario because I don't know the IP addresses that are supposed to connect to the server. Also, your rules can be summarized as follows:

Code: Select all

# iptables -A INPUT -m state --state NEW -p tcp --dport 1080 -s "IP_Address1","IP_Address2" -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 1080 -j DROP

[C4H7Cl2O4P]

As I said, no one can connect to the server. How can I solve it?

Try to set a rule to ACCEPT connection and move your existing rule to reject after it.

[jasonnix]

As I said, no one can connect to the server. How can I solve it?

Try to set a rule to ACCEPT connection and move your existing rule to reject after it.

Hi,
Thanks again.
Do you mean something like below?

Code: Select all

# iptables -A INPUT -p tcp --syn --dport 7070 -m connlimit --connlimit-above 2 --connlimit-daddr -j ACCEPT

[C4H7Cl2O4P]

Try to set a rule to ACCEPT connection and move your existing rule to reject after it.

Do you mean something like below?

Code: Select all

# iptables -A INPUT -p tcp --syn --dport 7070 -m connlimit --connlimit-above 2 --connlimit-daddr -j ACCEPT

I'm not sure.
You have accepting input policy...
Pay attention to the port. it was 1080 before and now it is 7070.
Sorry, I can not tell you more. I'm done.