iptables, connlimit-above for one IP

[Igor]

How can I limit the number of concurrent connections for one internal IP (phone by WiFi)? Firmware from Merlin v3.0.0.4.376.49_5.

In "clear" iptables rules I added

iptables -I INPUT 3 -p tcp --syn -s 192.168.1.10 -m connlimit --connlimit-above 150 -j REJECT --reject-with tcp-reset

but I do not see this blocking. "iptables -nvL INPUT":

 1519  803K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
80950 8537K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 REJECT     tcp  --  *      *       192.168.1.10        0.0.0.0/0            tcpflags: 0x17/0x02 #conn src/32 > 150 reject-with tcp-reset

and I see many (281) ESTABLISHED connectinos by "netstat-nat|grep 192.168.1.10|wc -l". I have a suspicion, these connections (initiated WiFi clients only) are not closed during the day ...

 

[RMerlin]

The INPUT chain only controls connections that are terminated on the router itself. If you want to control connections going to the WAN, you will probably need to use the FORWARD chain.

 

[Igor]

The INPUT chain only controls connections that are terminated on the router itself. If you want to control connections going to the WAN, you will probably need to use the FORWARD chain.

I tried to limit the FORWARD chain. 0 hits too. I not fight the long open multiple connections initiated WiFi clients, even after the client has quit the network. There is no problem in LAN Ethernet clients.

Tested on Asus RT-AC56U.

 

[RMerlin]

I don't think what you are trying to do would work.