dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed

The Eye's Mind

Per IP or netblock connection limit with Qmail TCPserver

Host OS: Gentoo Linux
pkg version: ucspi-tcp-0.88-r17

Very often (sometimes more than once a day) on some of the servers under my control, qmail will be forced by a monitoring daemon to reboot due to unresponsiveness. 9 and a half times out of 10 this is due to one machine filling up the 40-80 free smtp slots on the server with garbage requests. If I allow too many more than that it'll kill the cpu.

So, a (quite old) patch exists for ucspi-tcp-0.88 to add some functionality to tcpserver.


A limits patch, based directly on the code above, existed in gentoo until r15 of ucspi-tcp

After forking my own ebuild and adding the patch back in: 11 out of 14 chunks succeed...so close.

I want to know if any of you run qmail on servers that need this type of functionality and want to help get a new, up-2-date patch out there. Conversely, i'd like some suggestions on how to achieve the functionality I am looking for in the tcpserver.



Can you not use `iptables' to limit the number of connections per IP? See »www.cyberciti.biz/faq/iptables-c···ts-howto

openSUSE/KDE 4.x

I hate Vogons
Burlington, ON

1 edit

Or fail2ban »www.fail2ban.org


reply to pablo

Exactly as Pablo has suggested -- I use this on my MTA, TCP RST is "nice" since they don't end up with half-open connections. I consider these values "sane" and are currently in production use for a Postfix/Dovecot server. Adjust values as necessary obviously.

/usr/sbin/iptables -I INPUT -p tcp --syn --dport 993 -m connlimit --connlimit-above 16 -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -I INPUT -p tcp --syn --dport 465 -m connlimit --connlimit-above 16 -j REJECT --reject-with tcp-reset
/usr/sbin/iptables -I INPUT -p tcp --syn --dport 25 -m connlimit --connlimit-above 4 -j REJECT --reject-with tcp-reset



Oh yeah, the 4 connections on dport 25, is 4 connections per IP not 4 cumulative connections for -- here is the man page:

       Allows  you  to restrict the number of parallel connections to a server
       per client IP address (or client address block).
       --connlimit-upto n
              Match if the number of existing connections is below or equal n.
       --connlimit-above n
              Match if the number of existing connections is above n.
       --connlimit-mask prefix_length
              Group hosts using the prefix length. For IPv4, this  must  be  a
              number  between  (including)  0  and 32. For IPv6, between 0 and
              128. If not specified, the maximum prefix length for the  appli
              cable protocol is used.
              Apply the limit onto the source group.
              Apply the limit onto the destination group.
       # allow 2 telnet connections per client host
              iptables   -A  INPUT  -p  tcp  --syn  --dport  23  -m  connlimit
              --connlimit-above 2 -j REJECT
       # you can also match the other way around:
              iptables  -A  INPUT  -p  tcp  --syn  --dport  23  -m   connlimit
              --connlimit-upto 2 -j ACCEPT
       #  limit  the  number of parallel HTTP requests to 16 per class C sized
       source network (24 bit netmask)
              iptables -p tcp --syn --dport 80 -m connlimit  --connlimit-above
              16 --connlimit-mask 24 -j REJECT
       #  limit  the number of parallel HTTP requests to 16 for the link local
              (ipv6) ip6tables  -p  tcp  --syn  --dport  80  -s  fe80::/64  -m
              connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT
       # Limit the number of connections to a particular host:
              ip6tables  -p  tcp  --syn  --dport 49152:65535 -d 2001:db8::1 -m
              connlimit --connlimit-above 100 -j REJECT