# connlimit for udp. How?

## ponch

I need to limit amount of sessions for one of my NATed users. Did already with connlimit, but only for tcp traffic. How do i set same limits for udp?

----------

## swanson

You can't as UDP is stateless. Each UDP packet is completly independent so it is unable to be tracked the same way as TCP. Matches for tracking of individual applications using UDP such as for SIP or OpenH323 do exist but they don't provide connection limiting. Your best bet would be to limit their total UDP bandwidth.

----------

## aidanjt

Netfilter can use counters for any kind of IP traffic.

----------

## ponch

 *AidanJT wrote:*   

> Netfilter can use counters for any kind of IP traffic.

 

I didn't get it. Any examples would be appreciated.

----------

## Hu

Read the iptables manpage, specifically the sections dealing with the limit match (not connlimit, which is TCP only) and the hashlimit match.  As a crude example from memory:

```

iptables -N roommate

iptables -A FORWARD -p udp -s roommate-computer -j roommate

iptables -A roommate -m limit --limit 3/second --limit-burst 6 -j ACCEPT

iptables -A roommate -j DROP

```

This will route all UDP traffic to the rule roommate.  The first roommate rule matches up to three packets a second, and allows them to pass.  All subsequent packets will hit the second rule and be dropped.  The next second, an additional three packets will be allowed.  The limit match is traditionally used in LOG targets, to avoid flooding log files with dropped traffic.  However, it can also be used as shown here.

Depending on the volume of data you are moving, you may also want to look into traffic control via the utility tc.  This gives you the ability to limit bandwidth used, as swanson suggested.  If you pursue this route, please read Linux Advanced Routing & Traffic Control HOWTO.

----------

