How to limit maximum number of TCP connections

Thu Jun 28 08:03:54 UTC 2012

On 2012/06/27 23:27, Jatin K wrote:
> On 06/28/2012 11:32 AM, Ed Greshko wrote:
>> On 06/28/2012 01:27 PM, Jatin K wrote:
>>> well..... suppose I've 5 clients in my office ( say A,B, C, D, E ) and a
>>> linux box
>>> which is working as a router ( gateway ), I want  to allow only 4 concurrent
>>> pcs to
>>> access the Internet, say if A,B,C,D is using internet then fifth client E can
>>> not
>>> access the internet until any of previous connected clients ( A,B,C, or D) gets
>>> disconnected/session ended
>> Define "access internet".....
>>
>> Do you mean *all* protocols?  So, you want to stop a 5th system from browsing,
>> ftp,
>> ssh, ntp, pop, imap, etc?  So, if A, B, C, and D are using these
>> protocols...which
>> can happen without direct user input (pop/imap polls, facebook and rss feed
>> updates,
>> etc.)  you want to block E for an indeterminate amount of time?
> exactly
>
>>
>> Seriously?
> yes, its my client's requirement ......  I can understand its not the way to go
> .... but he pays me for this ... I'm a service provider .. I have to do what
> they said and want to do
>
>> I think you need to state the problem you are trying to solve....not ask for a
>> solution which really sounds wrong headed.
>>
> how can you prove its wrong ... they need this kind of configurations, and my
> duty is to provide the solutions what they need if its possible....
>
>      I don't know the solution/configuration requirement to fulfill their
> desire, thats why I'm asking the solutions to this list where so many experts
> like you are available. If this is wrong then I'm really sorry

OK, calm down. There may be a way iptables can limit the number of
connections of any given protocol - to some degree.

But there is another killer question these guys trying to help you are
asking, perhaps not clearly enough.

If A, B, C, and D are browsing CNN, MSNBC, ABC, and FoxNews is the limit on
E that he cannot browse CBS or that he cannot make an ftp file transfer or
his machine cannot attempt an NTP clock synchronization until one of the
others quits using the network?

There is something to keep in mind about most HTTP connections, they are
transitory. While A, B, C, and D are visiting their news sites and not
watching videos network activity is very low. So quality of service
restrictions would still allow E to visit CBS. They just could not all
be trying to browse to new pages at the same instant.

If the requirement really is only four can be using the internet in
any way and the fifth cannot there's no good and flexible way to do
it if the activity is simple browse/read/browse to new site/read. The
technique that would have to be used is more presumptive. You'd need a
rule that bans a user if in the last five minutes four other users have
connected to their own web sites however briefly.

Methinks your customer needs to step back a few feet from his description
of what he wants and tell you what he really wants or needs. That means
YOU need to educate him. Explain what quality of service means and
determine that is indeed not what is wanted. Explain how HTTP connections
can typically work as short bursts of multiple brief connections so
preventing more than four different machines from making web connections
can be amazingly difficult. You have to add a "presumption" filter that
notes connections made and the time they were made. If at any time the
filter has collected connections from four different machines to the
Internet the fifth is banned until a timeout runs out on at least one
of the other four's last connection. The timeout is presumed to mean she
has turned to some other task and is not using the internet.

If you ban more than four simultaneous TCP/IP connections web browsing,
with its dozens of simultaneous connections, may become annoyingly slow
even for only one user. This is particularly a problem with fast and
efficient browsers that try to overlap connections to speed downloading
the web page.

As relayed by you your customer's request is meaningless. You MUST find
out what assumptions your customer is making so you have a chance of
understanding what is really wanted.

{^_^}
at any one time