Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see:
viewtopic.php?t=158230
Linux Kernel, Network, and Services configuration.
jasonnix
Posts: 27 Joined: 2023-12-04 11:30
Has thanked: 1 time
#1
Post
by jasonnix » 2024-02-14 15:16
Hello,
I have a shadowsocks proxy running on port 1080 and I want only two IP addresses to be able to connect to this port at the same time. I used the following rule:
Code: Select all
# iptables -A INPUT -p tcp --dport 1080 -m connlimit --connlimit-above 2 --connlimit-mask 0 -j REJECT
But, it didn't work. No one can connect to shadowsocks proxy and use the internet. Any idea?
Thank you.
jasonnix
Posts: 27 Joined: 2023-12-04 11:30
Has thanked: 1 time
#3
Post
by jasonnix » 2024-02-14 18:18
Hi,
Thanks.
1- My only iptables rule is the one I wrote above.
2- I also used
--connlimit-mask 32 , but the result is the same. I think this command is based on session and not IP address. When I change the number
2 to
20 , the client can access the Internet through the proxy.
C4H7Cl2O4P
Posts: 12 Joined: 2023-09-19 23:38
#4
Post
by C4H7Cl2O4P » 2024-02-15 20:20
jasonnix wrote: ↑ 2024-02-14 18:18
2- I also used
--connlimit-mask 32 , but the result is the same.
I guess you don't need
--connlimit-mask in your rule.
jasonnix wrote: ↑ 2024-02-14 18:18
... I think this command is based on session and not IP address. ...
Why do you think so ?
jasonnix wrote: ↑ 2024-02-14 18:18
When I change the number
2 to
20 , the client can access the Internet through the proxy.
What does
netstat tell you ?
lindi
Debian Developer
Posts: 452 Joined: 2022-07-12 14:10
Has thanked: 1 time
Been thanked: 88 times
#5
Post
by lindi » 2024-02-15 20:37
C4H7Cl2O4P wrote: ↑ 2024-02-15 20:20
jasonnix wrote: ↑ 2024-02-14 18:18
2- I also used
--connlimit-mask 32 , but the result is the same.
I guess you don't need
--connlimit-mask in your rule.
jasonnix wrote: ↑ 2024-02-14 18:18
... I think this command is based on session and not IP address. ...
Why do you think so ?
jasonnix wrote: ↑ 2024-02-14 18:18
When I change the number
2 to
20 , the client can access the Internet through the proxy.
What does
netstat tell you ?
I think the more relevant connection list can be seen with
Also netstat has been replaced by
in the default installation.
jasonnix
Posts: 27 Joined: 2023-12-04 11:30
Has thanked: 1 time
#6
Post
by jasonnix » 2024-02-17 08:16
C4H7Cl2O4P wrote: ↑ 2024-02-15 20:20
jasonnix wrote: ↑ 2024-02-14 18:18
2- I also used
--connlimit-mask 32 , but the result is the same.
I guess you don't need
--connlimit-mask in your rule.
jasonnix wrote: ↑ 2024-02-14 18:18
... I think this command is based on session and not IP address. ...
Why do you think so ?
jasonnix wrote: ↑ 2024-02-14 18:18
When I change the number
2 to
20 , the client can access the Internet through the proxy.
What does
netstat tell you ?
Hello,
I removed
--connlimit-mask from my rule:
Code: Select all
# iptables -A INPUT -p tcp --syn --dport 7070 -m connlimit --connlimit-above 1 --connlimit-daddr -j REJECT
#
# iptables-save
# Generated by iptables-save v1.8.9 (nf_tables) on Sat Feb 17 11:38:57 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 7070 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 1 --connlimit-mask 32 --connlimit-daddr -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sat Feb 17 11:38:57 2024
And:
Code: Select all
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:7070 flags:FIN,SYN,RST,ACK/SYN #conn dst/32 > 1 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I changed the port to 7070. The
ss command tells:
Code: Select all
# ss -tupln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=495,fd=7))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=494,fd=7))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=599,fd=3))
tcp LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:* users:(("tor",pid=604,fd=6))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=599,fd=4))
tcp LISTEN 0 4096 *:7070 *:* users:(("v2ray",pid=683,fd=7))
What is your opinion?
C4H7Cl2O4P
Posts: 12 Joined: 2023-09-19 23:38
#7
Post
by C4H7Cl2O4P » 2024-02-18 11:42
jasonnix wrote: ↑ 2024-02-17 08:16
Code: Select all
# ss -tupln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=495,fd=7))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=494,fd=7))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=599,fd=3))
tcp LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:* users:(("tor",pid=604,fd=6))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=599,fd=4))
tcp LISTEN 0 4096 *:7070 *:* users:(("v2ray",pid=683,fd=7))
What is your opinion?
No connection installed.
jasonnix wrote: ↑ 2024-02-17 08:16
Code: Select all
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:7070 flags:FIN,SYN,RST,ACK/SYN #conn dst/32 > 1 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
What is your opinion?
REJECT TCP traffic from ANYWHERE to ANYWHERE through port 7070 with reason ICMP-PORT-UNREACHABLE
Hallvor
Global Moderator
Posts: 2044 Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 151 times
Been thanked: 212 times
#8
Post
by Hallvor » 2024-02-18 12:10
Try this: Allow the two IPs
Code: Select all
# iptables -A INPUT -p tcp --dport 1080 -s <IP_Address1> -j ACCEPT
# iptables -A INPUT -p tcp --dport 1080 -s <IP_Address2> -j ACCEPT
Only allow two connections to port 1080, reject everything else:
Code: Select all
# iptables -A INPUT -p tcp --dport 1080 -m connlimit --connlimit-above 2 -j REJECT
jasonnix
Posts: 27 Joined: 2023-12-04 11:30
Has thanked: 1 time
#9
Post
by jasonnix » 2024-02-20 06:14
C4H7Cl2O4P wrote: ↑ 2024-02-18 11:42
jasonnix wrote: ↑ 2024-02-17 08:16
Code: Select all
# ss -tupln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=495,fd=7))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=494,fd=7))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=599,fd=3))
tcp LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:* users:(("tor",pid=604,fd=6))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=599,fd=4))
tcp LISTEN 0 4096 *:7070 *:* users:(("v2ray",pid=683,fd=7))
What is your opinion?
No connection installed.
jasonnix wrote: ↑ 2024-02-17 08:16
Code: Select all
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:7070 flags:FIN,SYN,RST,ACK/SYN #conn dst/32 > 1 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
What is your opinion?
REJECT TCP traffic from ANYWHERE to ANYWHERE through port 7070 with reason ICMP-PORT-UNREACHABLE
Hello,
As I said, no one can connect to the server. How can I solve it?
Last edited by
jasonnix on 2024-02-20 06:19, edited 1 time in total.
jasonnix
Posts: 27 Joined: 2023-12-04 11:30
Has thanked: 1 time
#10
Post
by jasonnix » 2024-02-20 06:18
Hallvor wrote: ↑ 2024-02-18 12:10
Try this: Allow the two IPs
Code: Select all
# iptables -A INPUT -p tcp --dport 1080 -s <IP_Address1> -j ACCEPT
# iptables -A INPUT -p tcp --dport 1080 -s <IP_Address2> -j ACCEPT
Only allow two connections to port 1080, reject everything else:
Code: Select all
# iptables -A INPUT -p tcp --dport 1080 -m connlimit --connlimit-above 2 -j REJECT
Hello,
Thank you so much for your your reply.
Your rules don't apply in my scenario because I don't know the IP addresses that are supposed to connect to the server. Also, your rules can be summarized as follows:
Code: Select all
# iptables -A INPUT -m state --state NEW -p tcp --dport 1080 -s "IP_Address1","IP_Address2" -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 1080 -j DROP
C4H7Cl2O4P
Posts: 12 Joined: 2023-09-19 23:38
#11
Post
by C4H7Cl2O4P » 2024-02-22 14:26
jasonnix wrote: ↑ 2024-02-20 06:14
As I said, no one can connect to the server. How can I solve it?
Try to set a rule to ACCEPT connection and move your existing rule to reject after it.
jasonnix
Posts: 27 Joined: 2023-12-04 11:30
Has thanked: 1 time
#12
Post
by jasonnix » 2024-02-22 20:35
C4H7Cl2O4P wrote: ↑ 2024-02-22 14:26
jasonnix wrote: ↑ 2024-02-20 06:14
As I said, no one can connect to the server. How can I solve it?
Try to set a rule to ACCEPT connection and move your existing rule to reject after it.
Hi,
Thanks again.
Do you mean something like below?
Code: Select all
# iptables -A INPUT -p tcp --syn --dport 7070 -m connlimit --connlimit-above 2 --connlimit-daddr -j ACCEPT
C4H7Cl2O4P
Posts: 12 Joined: 2023-09-19 23:38
#13
Post
by C4H7Cl2O4P » 2024-02-25 09:03
jasonnix wrote: ↑ 2024-02-22 20:35
C4H7Cl2O4P wrote: ↑ 2024-02-22 14:26
Try to set a rule to ACCEPT connection and move your existing rule to reject after it.
Do you mean something like below?
Code: Select all
# iptables -A INPUT -p tcp --syn --dport 7070 -m connlimit --connlimit-above 2 --connlimit-daddr -j ACCEPT
I'm not sure.
You have accepting input policy...
Pay attention to the port. it was 1080 before and now it is 7070.
Sorry, I can not tell you more. I'm done.