How to limit maximum number of TCP connections

Rick Stevens ricks at alldigital.com
Thu Jun 28 16:21:25 UTC 2012 

On 06/28/2012 04:34 AM, Ian Malone wrote:
> On 27 June 2012 07:57, Jatin K<ssh.fedora at gmail.com>  wrote:
>> Dear All
>>
>> I'm on FC 15 which is acting as a router for Cable Internet connection
>> for 145 PC on the LAN, which works fine... But there is one question in
>> my mind, How do I limit the maximum numbers of concurrent connections to
>> router. i.e. if I want to allow only 90 concurrent connection to the
>> router at the given time only 90 PCs can pass through the router or
>> connect to the Internet other PCs/users have to wait until the connected
>> PCs session is over.
>>
>
> Having read all the other replies I have to agree that your client is
> either embarked on a philosophical exercise in traffic management or
> has come to their own (likely incorrect) conclusion that this is the
> best way to achieve something else. Best response is to engage and try
> to find out why.
>
> However, I don't see why it wouldn't be possible to use the kind of
> access control that gets used on commercial or courtesy wifi systems
> where all requests get redirected to a local server until the user
> authenticates the machine (usually via a web browser to make payment
> or agree to T&Cs). It does still have all the issues like background
> connections (software updates, NTP etc.), but this is protocol
> agnostic so far as I know. Look up captive portals (e.g. wifidog),
> note I've never done this.

You could, I suppose, make the router also a DHCP server, and have a 
limited number of IPs available in the pool along with forcing lease
expirations. I believe the OP said no more than 90 simultaneous
"sessions", so have a pool of 90 IPs available. When they're all given
out, the other computers can't get an IP until someone's lease expires
and frees up an IP. This, of course, would also limit the local LAN to
90 users.

If they're trying to limit access to the Internet, then perhaps using a
proxy such as Squid can be done. It has a number of access rule
mechanisms that might be tuned to do what is needed.

I agree the OP's client has got a weird idea as to limiting access, but
perhaps they feel their uplink is too small to handle more connections.
There is a lot of education that's required here with the client.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-    Overweight:  When you step on your dog's tail...and it dies.    -
----------------------------------------------------------------------

More information about the users mailing list