<div>
Not done any of this myself but a quick google for &quot;linux qos routing&quot; or &quot;linux policy routing&quot;. There's also a post here on EE that has some decent info:<br />
<br />
<a href="https://www.experts-exchange.com/questions/24124703/Linux-as-QoS-Router.html" rel="ugc">https://www.experts-exchange.com/questions/24124703/Linux-as-QoS-Router.html</a><br />
<br />
hth.
</div>


<div>
You can limit the number of connections in a period of time with recent module in iptables.<br />
<a href="http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/" rel="ugc">http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/</a><br />
<a href="http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/" rel="ugc">http://www.e18.physik.tu-muenchen.de/~tnagel/ipt_recent/</a>
</div>


<div>
netpass, hi.<br />
&gt;&nbsp;There are some ways to overcome this, e.g. increase /proc/sys/net/ipv4/route/m<wbr />ax_size or set secret_interval to a lower value. However, these do not solve the root cause of the problem.<br />
<br />
Really the root cause may be heavy network load of your server (servers/users behind firewall), so that's a normal solution.<br />
<br />
How much 'route per IP' do you think is 'the maximum' and how many total 'ip cache routes' do you think is OK? There is no such control as 'ip route cache entries per IP' since all IPs are equal for routing process and you have as many ip route cache entries as IPs you (or users behind firewall) are trying to access.<br />
<br />
I agree with Blaz, you may try to use 'recent' module (in PREROUTING chain), but also you may try to modify another route cache control parameters:<br />
&nbsp;'gc_interval' &nbsp;or 'gc_thresh'<br />
<a href="http://www.linuxinsight.com/proc_sys_net_ipv4_route_gc_interval.html" rel="ugc">http://www.linuxinsight.com/proc_sys_net_ipv4_route_gc_interval.html</a><br />
<a href="http://www.linuxinsight.com/proc_sys_net_ipv4_route_gc_thresh.html" rel="ugc">http://www.linuxinsight.com/proc_sys_net_ipv4_route_gc_thresh.html</a><br />
<br />

</div>


<div>
Thanks for your suggestions. <br />
<br />
However, both gc_interval and gc_thresh are applied to the whole box, i.e. both normal and abnormal users will be affected. If I only want to prevent thoses abnormal users (making many new connections) from polluting the routing table, any suggestions?<br />
<br />
The &quot;recent&quot; modules may be the direction. However, don't know how to set the rule for &quot;dropping new connection if last new connection is made &lt;&nbsp;x second&quot;
</div>


<div>
here is an example:<br />
<a href="https://www.experts-exchange.com/questions/24139279/Non-syntax-related-Error-Message-when-using-iptables.html?sfQueryTermInfo=1+iptabl+recent" rel="ugc">https://www.experts-exchange.com/questions/24139279/Non-syntax-related-Error-Message-when-using-iptables.html?sfQueryTermInfo=1+iptabl+recent</a><br />
<br />

</div>


<div>
Did you look at the links I posted about recent iptables module?<br />
<br />
For example:<br />
<br />
iptables -N RATELIMIT<br />
iptables -A PREROUTING state state NEW -j RATELIMIT<br />
iptables -A RATELIMIT -m recent set name RateLimit<br />
iptables -A RATELIMIT -m recent update seconds 100 hitcount 20 name RateLimit -j DROP<br />
<br />
This rules will limit that there must be less than 20 new connections from any host in a time window of 100 seconds.
</div>


<div>
Thanks, I will try and advise the result
</div>


<div>
After verification, it works. By limiting frequency of &quot;NEW&quot; connections, I can limit the rate of new routes added in route cache. Anyway, want to know how to define &quot;NEW&quot; as it seems it is quite different for different protocols, e.g. icmp, udp, tcp, etc. For example, in ICMP, each ping is a &quot;NEW&quot; session even to the same desination! In TCP, each TCP session is a &quot;NEW&quot; session.<br />
<br />
Can anyone help to clarify. Thanks in advance
</div>


<div>
<div class="content wysiwyg-content">
I have a Linux firewall box, sometimes found many &quot;dst cache overflow&quot;. There are some ways to overcome this, e.g. increase /proc/sys/net/ipv4/route/m<wbr />ax_size or set secret_interval to a lower value. However, these do not solve the root cause of the problem. I found the root cause is some users connect to many many destinations in a short period (may be BT, virus, etc.). I can list the routes by &quot;route -Cn&quot;.<br />
<br />
I want to know is there any means to limit number of routes per IP? Solutions, comments, ideas, directions are welcome.
</div>
</div>


I have a Linux firewall box, sometimes found many "dst cache overflow". There are some ways to overcome this, e.g. increase /proc/sys/net/ipv4/route/max_size or set secret_interval to a lower value. However, these do not solve the root cause of the problem. I found the root cause is some users connect to many many destinations in a short period (may be BT, virus, etc.). I can list the routes by "route -Cn".

I want to know is there any means to limit number of routes per IP? Solutions, comments, ideas, directions are welcome.

How to limit number of routes per ip

Kernel programming for Linux operating systems can be done with many different languages; C, C++, Python, Perl and Java, which are some of the most common languages used.There are also many different varieties of Linux, such as Ubuntu, Fedora and OpenSUSE.

Linux OS Dev

The variety of Linux distributions creates myriad issues relating to configuration and operations when computers are networked, not the least of which is the use of various network management applications, some of which are included with specific distributions, while others are standalone applications.

Linux Networking

Servers are computing devices that are similar to desktop computers in that they have the same basic components, but are significantly different in size, configuration and purpose. Servers are usually accessed over a network, and many run unattended, without a computer monitor, input device, audio hardware or USB interfaces. Many servers do not have a graphical user interface (GUI), and are configured and managed remotely. Servers typically include hardware redundancy such as dual power supplies, RAID disk systems, and ECC memory, along with extensive pre-boot memory testing and verification. Critical components might be hot swappable, and to guard against overheating, servers might have more powerful fans or use water cooling.