Limit IP connection for specific port in forward traffic

Amin asked:

I have a server on which I have done port forwarding. This means that each user connects to the server with a dedicated port and the traffic sent by the user is directed to the remote server. I used the following command to do the forward port and it works well

iptables -t nat -A PREROUTING -p tcp --dport 8090 -j DNAT --to-destination remote_ip:8090

iptables -t nat -A POSTROUTING -j MASQUERADE
To further monitor and control traffic consumption on my server, I want to set a limit for each port. That is, each user connects to the server with 2 IPs. If there is more than 2 IPs, the user will be disconnected. I do this to prevent abuse. I try these codes :

iptables -A FORWARD -p tcp --syn --dport 8090 -m connlimit --connlimit-above 2 -j DROP

Then I connected to the server with two different IPs at the same time, i was expecting the IP limit to work and one of my connections to be disconnected but both IPs were connected and this command did not work. Is it possible to set the IP limit for forwarding trafic in iptables?

My answer:


2 is not above 2.

You specified --connlimit-above 2. That means it matches on the third connection.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.