I have the following rules now :
10 chain=forward action=accept protocol=tcp connection-limit=100,32 11 chain=forward action=drop protocol=tcp connection-limit=100,32 12 chain=forward action=reject reject-with=icmp-network-unreachable p2p=all-p2p protocol=tcp connection-limit=5,32
它所应该做的是:
- accept the first 100 TCP-connections
- drop the rest
——限制p2p connectione to 5 per user
Right now, one user has 18 p2p (bittorrent)
120 TCP, 47 UDP
Problems are :
- many people can not use skype
- at time of high traffic, some basic protocols like DHCP etc can not connect, because there are no connections available.
- external loadbalancer is limited to 40000 simultanious sessions (in theory, CPU limit is less)
- a P2P user uses 2200 to 2500 open sessions, and there are too many of them
I tried to fix this by setting up priorities, but also this does not work. It is taken from a script to a TikTube video :
Mangle :
0 chain=prerouting action=accept protocol=tcp dst-port=110 packet-mark=Download_services 1 chain=prerouting action=accept protocol=tcp dst-port=995 packet-mark=Download_services 2 chain=prerouting action=mark-packet new-packet-mark=Download_services passthrough=yes protocol=tcp dst-port=143 3 chain=prerouting action=mark-packet new-packet-mark=Download_services passthrough=yes protocol=tcp dst-port=993 4 chain=prerouting action=mark-packet new-packet-mark=Download_services passthrough=yes protocol=tcp dst-port=25 5 chain=prerouting action=mark-packet new-packet-mark=Download_services passthrough=yes protocol=tcp dst-port=80 connection-bytes=500000-0 6 chain=prerouting action=mark-packet new-packet-mark=Download_services passthrough=yes protocol=tcp dst-port=20 7 chain=prerouting action=mark-packet new-packet-mark=Download_services passthrough=yes protocol=tcp dst-port=21 8 chain=prerouting action=mark-packet new-packet-mark=Download_services passthrough=yes protocol=tcp dst-port=22 packet-size=1400-1500 9 chain=prerouting action=mark-packet new-packet-mark=P2P_services passthrough=yes p2p=all-p2p 10 chain=prerouting action=mark-packet new-packet-mark=Ensign_services passthrough=yes protocol=tcp dst-port=53 11 chain=prerouting action=mark-packet new-packet-mark=Ensign_services passthrough=yes protocol=udp dst-port=53 12 chain=prerouting action=mark-packet new-packet-mark=Ensign_services passthrough=yes protocol=icmp 13 chain=prerouting action=mark-packet new-packet-mark=Ensign_services passthrough=yes protocol=tcp dst-port=443 14 chain=prerouting action=mark-packet new-packet-mark=Ensign_services passthrough=yes protocol=tcp dst-port=23 15 chain=prerouting action=mark-packet new-packet-mark=Ensign_services passthrough=yes protocol=tcp dst-port=22 packet-size=0-1400 16 chain=prerouting action=mark-packet new-packet-mark=Ensign_services passthrough=yes protocol=tcp dst-port=80 connection-bytes=0-500000 17 chain=prerouting action=accept packet-mark=User_requests
Queues :
0 name="Prio 1" parent=global-in packet-mark=Ensign_services limit-at=0 queue=default priority=1 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 1 name="Prio 3" parent=global-in packet-mark=User_requests limit-at=0 queue=default priority=3 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 2 name="Prio 7" parent=global-in packet-mark=Download_services limit-at=0 queue=default priority=7 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s 3 name="Prio 8" parent=global-out packet-mark=P2P_services limit-at=1k queue=default priority=8 max-limit=2k burst-limit=0 burst-threshold=0 burst-time=0s
Any hints ?
