Here’s the sample lines for connection limiting, where br0 is the internal LAN:
# only allow 25 connections per host total, only 5
# of which can be above port 1024/usr/sbin/iptables -I FORWARD -i br0 -p tcp –syn –dport 1: -m connlimit –connlimit-above 25 -j REJECT
/usr/sbin/iptables -I FORWARD -i br0 -p tcp –syn –dport 1024: -m connlimit –connlimit-above 5 -j REJECT
/usr/sbin/iptables -I FORWARD -i br0 -p udp –dport 1: -m connlimit –connlimit-above 25 -j REJECT
/usr/sbin/iptables -I FORWARD -i br0 -p udp –dport 1024: -m connlimit –connlimit-above 5 -j REJECTOR
/usr/sbin/iptables -A FORWARD -s 192.168.1.2 -p tcp -m connlimit –connlimit-above 10 -j DROP
You’ll also want:
# filter out bad/corrupted p2p traffic
iptables -I PREROUTING -t mangle -m conntrack –ctstate INVALID -j DROP
# block Blobster and Piolet from downloading the initial peer list
iptables -I FORWARD -i br0 -p tcp –dport 80 -d 128.121.0.0/16 -j REJECT
And then to block the specific apps that MD was talking about above:
# block eDonkey
iptables -I FORWARD -i br0 -p tcp –dport 4662 -j REJECT
iptables -I FORWARD -i br0 -p tcp –sport 4662 -j REJECT# block Limewire, Morpheus, Bearshare
iptables -I FORWARD -i br0 -p tcp –dport 6346:6347 -j REJECT
iptables -I FORWARD -i br0 -p tcp –sport 6346:6347 -j REJECT
iptables -I FORWARD -i br0 -p udp –dport 6346:6347 -j REJECT
iptables -I FORWARD -i br0 -p udp –sport 6346:6347 -j REJECT# block eMule
iptables -I FORWARD -i br0 -p udp –dport 4672 -j REJECT
iptables -I FORWARD -i br0 -p udp –sport 4672 -j REJECT# block BitTorrent
iptables -I FORWARD -i br0 -p tcp –dport 6881:6889 -j REJECT
iptables -I FORWARD -i br0 -p tcp –sport 6881:6889 -j REJECT
iptables -I FORWARD -i br0 -p udp –dport 6881:6889 -j REJECT
iptables -I FORWARD -i br0 -p udp –sport 6881:6889 -j REJECT# block WinMx
iptables -I FORWARD -i br0 -p tcp –dport 6699 -j REJECT
iptables -I FORWARD -i br0 -p tcp –sport 6699 -j REJECT
iptables -I FORWARD -i br0 -p udp –dport 6699 -j REJECT
iptables -I FORWARD -i br0 -p udp –sport 6699 -j REJECT
All of this would go in an /etc/init.d startup file, etc.