iptables limit the number of connections in the system for both ipv4 ipv6
up vote
1
down vote
favorite
A connection is a 5 tuple (ip src/dst, port src/dst, protocol).
What about different connections between ipv4 and ipv6?
If I define the iptables rule:
iptables -A INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
It limits the tcp connections to 50.
What about ipv6 tcp connections? should I write also
ip6tables -A INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
?
Does it mean that I can have 100 tcp connections overall? (50 ipv4 50 ipv6) ?
How does it work?
Thanks.
networking iptables ipv6 ipv4
asked Jan 19 '17 at 12:07
hudac
332312
add a comment |
up vote
1
down vote
favorite
A connection is a 5 tuple (ip src/dst, port src/dst, protocol).
What about different connections between ipv4 and ipv6?
If I define the iptables rule:
iptables -A INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
It limits the tcp connections to 50.
What about ipv6 tcp connections? should I write also
ip6tables -A INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
?
Does it mean that I can have 100 tcp connections overall? (50 ipv4 50 ipv6) ?
How does it work?
Thanks.
networking iptables ipv6 ipv4
asked Jan 19 '17 at 12:07
hudac
332312
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
A connection is a 5 tuple (ip src/dst, port src/dst, protocol).
What about different connections between ipv4 and ipv6?
If I define the iptables rule:
iptables -A INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
It limits the tcp connections to 50.
What about ipv6 tcp connections? should I write also
ip6tables -A INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
?
Does it mean that I can have 100 tcp connections overall? (50 ipv4 50 ipv6) ?
How does it work?
Thanks.
networking iptables ipv6 ipv4
asked Jan 19 '17 at 12:07
hudac
332312
A connection is a 5 tuple (ip src/dst, port src/dst, protocol).
What about different connections between ipv4 and ipv6?
If I define the iptables rule:
iptables -A INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
It limits the tcp connections to 50.
What about ipv6 tcp connections? should I write also
ip6tables -A INPUT -p tcp -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
?
Does it mean that I can have 100 tcp connections overall? (50 ipv4 50 ipv6) ?
How does it work?
Thanks.
networking iptables ipv6 ipv4
networking iptables ipv6 ipv4
asked Jan 19 '17 at 12:07
hudac
332312
asked Jan 19 '17 at 12:07
hudac
332312
asked Jan 19 '17 at 12:07
hudac
332312
asked Jan 19 '17 at 12:07
hudac
332312
asked Jan 19 '17 at 12:07
hudac
332312
332312
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
3
down vote
accepted
You will have 50 of each connections, since iptables will handle only ipv4 and ip6tables will deal with ipv6 connections. They will not "sum" up, because they are managed by different tools on each protocol version.
Will nftables, the "new firewall" be able to deal with both protocols summing up everything? No. You will have the "same tool"(nft binary) to deal with protocols independently using the rule keyword: nft add rule ip6 ... and nft add rule ip ...
As pointed out in the comments, the nft_connlimit extension was recently added to Linux 4.18, allowing you to count sum ipv4 and ipv6 if you use the reserved word inet while creating rules.
Related Stuff:
- Serverfault: How do you set a max connection limit with nftables?
answered Jan 19 '17 at 12:18
nwildner
13.7k14075
1
Now the feature has been implemented with nftables, actually using the familyinetinstead of justipor justip6will use the combined count of IPv4 and IPv6 connections retrieved from conntrack. See my related answer on SF there: How do you set a max connection limit with nftables?
– A.B
Nov 13 at 23:59
Thanks for the info A.B. Added to the answer :)
– nwildner
Nov 14 at 9:59
add a comment |
up vote
1
down vote
Yes, that means you can have 50+50 connections.
answered Jan 19 '17 at 12:16
Henrik
3,4851419
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
You will have 50 of each connections, since iptables will handle only ipv4 and ip6tables will deal with ipv6 connections. They will not "sum" up, because they are managed by different tools on each protocol version.
Will nftables, the "new firewall" be able to deal with both protocols summing up everything? No. You will have the "same tool"(nft binary) to deal with protocols independently using the rule keyword: nft add rule ip6 ... and nft add rule ip ...
As pointed out in the comments, the nft_connlimit extension was recently added to Linux 4.18, allowing you to count sum ipv4 and ipv6 if you use the reserved word inet while creating rules.
Related Stuff:
- Serverfault: How do you set a max connection limit with nftables?
answered Jan 19 '17 at 12:18
nwildner
13.7k14075
1
Now the feature has been implemented with nftables, actually using the familyinetinstead of justipor justip6will use the combined count of IPv4 and IPv6 connections retrieved from conntrack. See my related answer on SF there: How do you set a max connection limit with nftables?
– A.B
Nov 13 at 23:59
Thanks for the info A.B. Added to the answer :)
– nwildner
Nov 14 at 9:59
add a comment |
up vote
3
down vote
accepted
You will have 50 of each connections, since iptables will handle only ipv4 and ip6tables will deal with ipv6 connections. They will not "sum" up, because they are managed by different tools on each protocol version.
Will nftables, the "new firewall" be able to deal with both protocols summing up everything? No. You will have the "same tool"(nft binary) to deal with protocols independently using the rule keyword: nft add rule ip6 ... and nft add rule ip ...
As pointed out in the comments, the nft_connlimit extension was recently added to Linux 4.18, allowing you to count sum ipv4 and ipv6 if you use the reserved word inet while creating rules.
Related Stuff:
- Serverfault: How do you set a max connection limit with nftables?
answered Jan 19 '17 at 12:18
nwildner
13.7k14075
1
Now the feature has been implemented with nftables, actually using the familyinetinstead of justipor justip6will use the combined count of IPv4 and IPv6 connections retrieved from conntrack. See my related answer on SF there: How do you set a max connection limit with nftables?
– A.B
Nov 13 at 23:59
Thanks for the info A.B. Added to the answer :)
– nwildner
Nov 14 at 9:59
add a comment |
up vote
3
down vote
accepted
up vote
3
down vote
accepted
You will have 50 of each connections, since iptables will handle only ipv4 and ip6tables will deal with ipv6 connections. They will not "sum" up, because they are managed by different tools on each protocol version.
Will nftables, the "new firewall" be able to deal with both protocols summing up everything? No. You will have the "same tool"(nft binary) to deal with protocols independently using the rule keyword: nft add rule ip6 ... and nft add rule ip ...
As pointed out in the comments, the nft_connlimit extension was recently added to Linux 4.18, allowing you to count sum ipv4 and ipv6 if you use the reserved word inet while creating rules.
Related Stuff:
- Serverfault: How do you set a max connection limit with nftables?
answered Jan 19 '17 at 12:18
nwildner
13.7k14075
You will have 50 of each connections, since iptables will handle only ipv4 and ip6tables will deal with ipv6 connections. They will not "sum" up, because they are managed by different tools on each protocol version.
Will nftables, the "new firewall" be able to deal with both protocols summing up everything? No. You will have the "same tool"(nft binary) to deal with protocols independently using the rule keyword: nft add rule ip6 ... and nft add rule ip ...
As pointed out in the comments, the nft_connlimit extension was recently added to Linux 4.18, allowing you to count sum ipv4 and ipv6 if you use the reserved word inet while creating rules.
Related Stuff:
- Serverfault: How do you set a max connection limit with nftables?
answered Jan 19 '17 at 12:18
nwildner
13.7k14075
edited Nov 14 at 9:58
answered Jan 19 '17 at 12:18
nwildner
13.7k14075
answered Jan 19 '17 at 12:18
nwildner
13.7k14075
answered Jan 19 '17 at 12:18
nwildner
13.7k14075
13.7k14075
1
Now the feature has been implemented with nftables, actually using the familyinetinstead of justipor justip6will use the combined count of IPv4 and IPv6 connections retrieved from conntrack. See my related answer on SF there: How do you set a max connection limit with nftables?
– A.B
Nov 13 at 23:59
Thanks for the info A.B. Added to the answer :)
– nwildner
Nov 14 at 9:59
add a comment |
1
Now the feature has been implemented with nftables, actually using the familyinetinstead of justipor justip6will use the combined count of IPv4 and IPv6 connections retrieved from conntrack. See my related answer on SF there: How do you set a max connection limit with nftables?
– A.B
Nov 13 at 23:59
Thanks for the info A.B. Added to the answer :)
– nwildner
Nov 14 at 9:59
1
1
Now the feature has been implemented with nftables, actually using the family
inet instead of just ip or just ip6 will use the combined count of IPv4 and IPv6 connections retrieved from conntrack. See my related answer on SF there: How do you set a max connection limit with nftables?– A.B
Nov 13 at 23:59
Now the feature has been implemented with nftables, actually using the family
inet instead of just ip or just ip6 will use the combined count of IPv4 and IPv6 connections retrieved from conntrack. See my related answer on SF there: How do you set a max connection limit with nftables?– A.B
Nov 13 at 23:59
Thanks for the info A.B. Added to the answer :)
– nwildner
Nov 14 at 9:59
Thanks for the info A.B. Added to the answer :)
– nwildner
Nov 14 at 9:59
add a comment |
up vote
1
down vote
Yes, that means you can have 50+50 connections.
answered Jan 19 '17 at 12:16
Henrik
3,4851419
add a comment |
up vote
1
down vote
Yes, that means you can have 50+50 connections.
answered Jan 19 '17 at 12:16
Henrik
3,4851419
add a comment |
up vote
1
down vote
up vote
1
down vote
Yes, that means you can have 50+50 connections.
answered Jan 19 '17 at 12:16
Henrik
3,4851419
Yes, that means you can have 50+50 connections.
answered Jan 19 '17 at 12:16
Henrik
3,4851419
answered Jan 19 '17 at 12:16
Henrik
3,4851419
answered Jan 19 '17 at 12:16
Henrik
3,4851419
answered Jan 19 '17 at 12:16
Henrik
3,4851419
3,4851419
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f338611%2fiptables-limit-the-number-of-connections-in-the-system-for-both-ipv4-ipv6%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
