Limit web content to be downloaded in one minute frame from one ip address (with iptables) [closed]

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












Which rule could we apply on iptables to limit amount of downloaded traffic, for example we need to limit customer so he can download only 400 Kilobytes in a minute from one ip address ? If he downloads more, then block his ip for 5 minutes ? Not apache/nginx, but rather iptabes. I would like to close the network connectivity to people who trying to get > 400kb in one minute frame.










share|improve this question















closed as unclear what you're asking by Scott, h3rrmiller, Jeff Schaller, Anthony Geoghegan, Stephen Rauch Oct 2 '17 at 22:47


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.










  • 2




    Please don’t confuse miles with kilometers.  How are Kilobytes per minute different from Mb/sec except for a scale factor? Please do not respond in comments; edit your question to make it clearer and more complete.
    – Scott
    Oct 2 '17 at 19:35










  • @scott seems you didn't read the question. They want an IP blocked if the date volume exceeds a fixed amount in a fixed time period. Not a rare limit. The question send perfectly clear to me.
    – user1998586
    Oct 4 '17 at 7:45










  • I did read the question.  “400 Kilobytes per minute” does not mean “400 Kilobytes in one minute”, in English.  If that’s what the OP meant, congratulations on having read their mind.  The person who answered read the same question you and I did, and they thought it was about rate limiting; and four people agreed with me that it is unclear.  If you believe that you understand the question so much better than we do, and that you understand English so much better than we do, then please edit the question so that it’s clear to simpletons like me.
    – Scott
    Oct 4 '17 at 8:40










  • @scott, you're right, i did a mistake. In one minute and per minute is a huge difference to let native english speakers to understand the question. I'm not native, sorry :) Edited question. Hope now it's clear...
    – VmeansVendetta
    Oct 4 '17 at 12:32










  • OK, I have voted to reopen this question (take it off hold).  It will require three more votes, and I’m afraid it’s not likely to get them.  (It might help if you edited the title, which still looks like you’re asking about rate limiting.)  Even if the question does get reopened, the answer might be “you can’t do that” — but I don’t know.
    – Scott
    Oct 4 '17 at 18:49















up vote
2
down vote

favorite












Which rule could we apply on iptables to limit amount of downloaded traffic, for example we need to limit customer so he can download only 400 Kilobytes in a minute from one ip address ? If he downloads more, then block his ip for 5 minutes ? Not apache/nginx, but rather iptabes. I would like to close the network connectivity to people who trying to get > 400kb in one minute frame.










share|improve this question















closed as unclear what you're asking by Scott, h3rrmiller, Jeff Schaller, Anthony Geoghegan, Stephen Rauch Oct 2 '17 at 22:47


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.










  • 2




    Please don’t confuse miles with kilometers.  How are Kilobytes per minute different from Mb/sec except for a scale factor? Please do not respond in comments; edit your question to make it clearer and more complete.
    – Scott
    Oct 2 '17 at 19:35










  • @scott seems you didn't read the question. They want an IP blocked if the date volume exceeds a fixed amount in a fixed time period. Not a rare limit. The question send perfectly clear to me.
    – user1998586
    Oct 4 '17 at 7:45










  • I did read the question.  “400 Kilobytes per minute” does not mean “400 Kilobytes in one minute”, in English.  If that’s what the OP meant, congratulations on having read their mind.  The person who answered read the same question you and I did, and they thought it was about rate limiting; and four people agreed with me that it is unclear.  If you believe that you understand the question so much better than we do, and that you understand English so much better than we do, then please edit the question so that it’s clear to simpletons like me.
    – Scott
    Oct 4 '17 at 8:40










  • @scott, you're right, i did a mistake. In one minute and per minute is a huge difference to let native english speakers to understand the question. I'm not native, sorry :) Edited question. Hope now it's clear...
    – VmeansVendetta
    Oct 4 '17 at 12:32










  • OK, I have voted to reopen this question (take it off hold).  It will require three more votes, and I’m afraid it’s not likely to get them.  (It might help if you edited the title, which still looks like you’re asking about rate limiting.)  Even if the question does get reopened, the answer might be “you can’t do that” — but I don’t know.
    – Scott
    Oct 4 '17 at 18:49













up vote
2
down vote

favorite









up vote
2
down vote

favorite











Which rule could we apply on iptables to limit amount of downloaded traffic, for example we need to limit customer so he can download only 400 Kilobytes in a minute from one ip address ? If he downloads more, then block his ip for 5 minutes ? Not apache/nginx, but rather iptabes. I would like to close the network connectivity to people who trying to get > 400kb in one minute frame.










share|improve this question















Which rule could we apply on iptables to limit amount of downloaded traffic, for example we need to limit customer so he can download only 400 Kilobytes in a minute from one ip address ? If he downloads more, then block his ip for 5 minutes ? Not apache/nginx, but rather iptabes. I would like to close the network connectivity to people who trying to get > 400kb in one minute frame.







iptables firewall






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Oct 7 '17 at 20:21









Paula Livingstone

1032




1032










asked Oct 2 '17 at 18:42









VmeansVendetta

162




162




closed as unclear what you're asking by Scott, h3rrmiller, Jeff Schaller, Anthony Geoghegan, Stephen Rauch Oct 2 '17 at 22:47


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.






closed as unclear what you're asking by Scott, h3rrmiller, Jeff Schaller, Anthony Geoghegan, Stephen Rauch Oct 2 '17 at 22:47


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.









  • 2




    Please don’t confuse miles with kilometers.  How are Kilobytes per minute different from Mb/sec except for a scale factor? Please do not respond in comments; edit your question to make it clearer and more complete.
    – Scott
    Oct 2 '17 at 19:35










  • @scott seems you didn't read the question. They want an IP blocked if the date volume exceeds a fixed amount in a fixed time period. Not a rare limit. The question send perfectly clear to me.
    – user1998586
    Oct 4 '17 at 7:45










  • I did read the question.  “400 Kilobytes per minute” does not mean “400 Kilobytes in one minute”, in English.  If that’s what the OP meant, congratulations on having read their mind.  The person who answered read the same question you and I did, and they thought it was about rate limiting; and four people agreed with me that it is unclear.  If you believe that you understand the question so much better than we do, and that you understand English so much better than we do, then please edit the question so that it’s clear to simpletons like me.
    – Scott
    Oct 4 '17 at 8:40










  • @scott, you're right, i did a mistake. In one minute and per minute is a huge difference to let native english speakers to understand the question. I'm not native, sorry :) Edited question. Hope now it's clear...
    – VmeansVendetta
    Oct 4 '17 at 12:32










  • OK, I have voted to reopen this question (take it off hold).  It will require three more votes, and I’m afraid it’s not likely to get them.  (It might help if you edited the title, which still looks like you’re asking about rate limiting.)  Even if the question does get reopened, the answer might be “you can’t do that” — but I don’t know.
    – Scott
    Oct 4 '17 at 18:49













  • 2




    Please don’t confuse miles with kilometers.  How are Kilobytes per minute different from Mb/sec except for a scale factor? Please do not respond in comments; edit your question to make it clearer and more complete.
    – Scott
    Oct 2 '17 at 19:35










  • @scott seems you didn't read the question. They want an IP blocked if the date volume exceeds a fixed amount in a fixed time period. Not a rare limit. The question send perfectly clear to me.
    – user1998586
    Oct 4 '17 at 7:45










  • I did read the question.  “400 Kilobytes per minute” does not mean “400 Kilobytes in one minute”, in English.  If that’s what the OP meant, congratulations on having read their mind.  The person who answered read the same question you and I did, and they thought it was about rate limiting; and four people agreed with me that it is unclear.  If you believe that you understand the question so much better than we do, and that you understand English so much better than we do, then please edit the question so that it’s clear to simpletons like me.
    – Scott
    Oct 4 '17 at 8:40










  • @scott, you're right, i did a mistake. In one minute and per minute is a huge difference to let native english speakers to understand the question. I'm not native, sorry :) Edited question. Hope now it's clear...
    – VmeansVendetta
    Oct 4 '17 at 12:32










  • OK, I have voted to reopen this question (take it off hold).  It will require three more votes, and I’m afraid it’s not likely to get them.  (It might help if you edited the title, which still looks like you’re asking about rate limiting.)  Even if the question does get reopened, the answer might be “you can’t do that” — but I don’t know.
    – Scott
    Oct 4 '17 at 18:49








2




2




Please don’t confuse miles with kilometers.  How are Kilobytes per minute different from Mb/sec except for a scale factor? Please do not respond in comments; edit your question to make it clearer and more complete.
– Scott
Oct 2 '17 at 19:35




Please don’t confuse miles with kilometers.  How are Kilobytes per minute different from Mb/sec except for a scale factor? Please do not respond in comments; edit your question to make it clearer and more complete.
– Scott
Oct 2 '17 at 19:35












@scott seems you didn't read the question. They want an IP blocked if the date volume exceeds a fixed amount in a fixed time period. Not a rare limit. The question send perfectly clear to me.
– user1998586
Oct 4 '17 at 7:45




@scott seems you didn't read the question. They want an IP blocked if the date volume exceeds a fixed amount in a fixed time period. Not a rare limit. The question send perfectly clear to me.
– user1998586
Oct 4 '17 at 7:45












I did read the question.  “400 Kilobytes per minute” does not mean “400 Kilobytes in one minute”, in English.  If that’s what the OP meant, congratulations on having read their mind.  The person who answered read the same question you and I did, and they thought it was about rate limiting; and four people agreed with me that it is unclear.  If you believe that you understand the question so much better than we do, and that you understand English so much better than we do, then please edit the question so that it’s clear to simpletons like me.
– Scott
Oct 4 '17 at 8:40




I did read the question.  “400 Kilobytes per minute” does not mean “400 Kilobytes in one minute”, in English.  If that’s what the OP meant, congratulations on having read their mind.  The person who answered read the same question you and I did, and they thought it was about rate limiting; and four people agreed with me that it is unclear.  If you believe that you understand the question so much better than we do, and that you understand English so much better than we do, then please edit the question so that it’s clear to simpletons like me.
– Scott
Oct 4 '17 at 8:40












@scott, you're right, i did a mistake. In one minute and per minute is a huge difference to let native english speakers to understand the question. I'm not native, sorry :) Edited question. Hope now it's clear...
– VmeansVendetta
Oct 4 '17 at 12:32




@scott, you're right, i did a mistake. In one minute and per minute is a huge difference to let native english speakers to understand the question. I'm not native, sorry :) Edited question. Hope now it's clear...
– VmeansVendetta
Oct 4 '17 at 12:32












OK, I have voted to reopen this question (take it off hold).  It will require three more votes, and I’m afraid it’s not likely to get them.  (It might help if you edited the title, which still looks like you’re asking about rate limiting.)  Even if the question does get reopened, the answer might be “you can’t do that” — but I don’t know.
– Scott
Oct 4 '17 at 18:49





OK, I have voted to reopen this question (take it off hold).  It will require three more votes, and I’m afraid it’s not likely to get them.  (It might help if you edited the title, which still looks like you’re asking about rate limiting.)  Even if the question does get reopened, the answer might be “you can’t do that” — but I don’t know.
– Scott
Oct 4 '17 at 18:49











1 Answer
1






active

oldest

votes

















up vote
2
down vote













This answer assumes this is an XY Problem, and what you actually want is some way to limit server resource usage on a per-user basis to protect against DoS attacks.



First off, there are much better options that don't involve using just iptables, namely:



  1. Use rate limiting built into whatever server software you're using. Most major web servers have support for this built in or as a standard module. It's also the canonical way to rate-limit access to a specific service on a single system. This has three big advantages over using iptalbes:

    • It doesn't block anyone, but it doesn't allow them to exceed their bandwidth cap either (provided you limit the number of connections per source IP).

    • It doesn't clutter your firewall with things that are application-level policy.

    • It is generally very easy to set up. With NGinx, it's quite literally one line (five if you include per-source connection limiting). For Apache, it's two lines (not including the line to load the module).


  2. Use some reverse proxy software (this can even run directly on your application server in some cases) to provide rate limiting. Squid is one of the best examples of this approach, but most reverse proxy options have some kind of support for it. This is the canonical approach if you have multiple backend systems.

  3. Adjust the TCP window scaling parameters. This is reliable and won't break your client if done correctly, and doesn't require any dynamic adjustment once it stabilizes. However, it's non-trivial to set up, and a smart client can work around this to improve performance. This can be done with any server software with some work, but is also limited to per-connection rate limiting.

  4. Use network device queue disciplines combined with connection marking from iptables to do real per-connection rate limiting. This is extremely complex to set up, but has two distinct advantages, namely that it is 100% protocol agnostic (you can use it with anything), and it provides extremely deterministic behavior (which simplifies testing).

If you for some reason absolutely have to use nothing more than iptables, you have three general options:



  1. Use the limit match by itself. This will allow you to limit the number of packets per unit time. By doing some simple math with the MTU for the link, you can easily arrive at a cap for the requested bandwidth.
    For example, to get 400 kilobytes per minute on a link with a MTU of 1500 (standard for Ethernet), you would be looking at a limit of 4 packets per second, or 267 per minute (neither is exact, but they're both within 1%). You will however have to add a rule for each client IP, as the limit is shared for everything that matches the rule.

  2. In a slightly more sophisticated setup, you could use the hashlimit match instead, which would allow for slightly better handling, but suffers from the same rule-per-client limitation as above.

  3. If you absolutely want reactive rate limiting (this is a seriously bad idea, to a degree I absolutely can not emphasize enough here, it will break user expectations on many levels, and is extremely hard to debug by itself, and makes debugging other issues much more difficult), then take a look at the rateest match and target. The target collects data, which you can then match on with the match. That in turn can use the LOG target to trigger action by a userspace helper program which can block the IP.





share|improve this answer






















  • As the question stated, they are not looking for rate limiting, but rather a cut off if the data volume exceeds a limit within a fixed time period.
    – user1998586
    Oct 4 '17 at 7:43










  • @user1998586 That's rate limiting. It's a reactive, hard-capped approach that's typically used in poorly designed homebrew DoS protection setups, but it's still rate limiting.
    – Austin Hemmelgarn
    Oct 4 '17 at 11:36

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote













This answer assumes this is an XY Problem, and what you actually want is some way to limit server resource usage on a per-user basis to protect against DoS attacks.



First off, there are much better options that don't involve using just iptables, namely:



  1. Use rate limiting built into whatever server software you're using. Most major web servers have support for this built in or as a standard module. It's also the canonical way to rate-limit access to a specific service on a single system. This has three big advantages over using iptalbes:

    • It doesn't block anyone, but it doesn't allow them to exceed their bandwidth cap either (provided you limit the number of connections per source IP).

    • It doesn't clutter your firewall with things that are application-level policy.

    • It is generally very easy to set up. With NGinx, it's quite literally one line (five if you include per-source connection limiting). For Apache, it's two lines (not including the line to load the module).


  2. Use some reverse proxy software (this can even run directly on your application server in some cases) to provide rate limiting. Squid is one of the best examples of this approach, but most reverse proxy options have some kind of support for it. This is the canonical approach if you have multiple backend systems.

  3. Adjust the TCP window scaling parameters. This is reliable and won't break your client if done correctly, and doesn't require any dynamic adjustment once it stabilizes. However, it's non-trivial to set up, and a smart client can work around this to improve performance. This can be done with any server software with some work, but is also limited to per-connection rate limiting.

  4. Use network device queue disciplines combined with connection marking from iptables to do real per-connection rate limiting. This is extremely complex to set up, but has two distinct advantages, namely that it is 100% protocol agnostic (you can use it with anything), and it provides extremely deterministic behavior (which simplifies testing).

If you for some reason absolutely have to use nothing more than iptables, you have three general options:



  1. Use the limit match by itself. This will allow you to limit the number of packets per unit time. By doing some simple math with the MTU for the link, you can easily arrive at a cap for the requested bandwidth.
    For example, to get 400 kilobytes per minute on a link with a MTU of 1500 (standard for Ethernet), you would be looking at a limit of 4 packets per second, or 267 per minute (neither is exact, but they're both within 1%). You will however have to add a rule for each client IP, as the limit is shared for everything that matches the rule.

  2. In a slightly more sophisticated setup, you could use the hashlimit match instead, which would allow for slightly better handling, but suffers from the same rule-per-client limitation as above.

  3. If you absolutely want reactive rate limiting (this is a seriously bad idea, to a degree I absolutely can not emphasize enough here, it will break user expectations on many levels, and is extremely hard to debug by itself, and makes debugging other issues much more difficult), then take a look at the rateest match and target. The target collects data, which you can then match on with the match. That in turn can use the LOG target to trigger action by a userspace helper program which can block the IP.





share|improve this answer






















  • As the question stated, they are not looking for rate limiting, but rather a cut off if the data volume exceeds a limit within a fixed time period.
    – user1998586
    Oct 4 '17 at 7:43










  • @user1998586 That's rate limiting. It's a reactive, hard-capped approach that's typically used in poorly designed homebrew DoS protection setups, but it's still rate limiting.
    – Austin Hemmelgarn
    Oct 4 '17 at 11:36














up vote
2
down vote













This answer assumes this is an XY Problem, and what you actually want is some way to limit server resource usage on a per-user basis to protect against DoS attacks.



First off, there are much better options that don't involve using just iptables, namely:



  1. Use rate limiting built into whatever server software you're using. Most major web servers have support for this built in or as a standard module. It's also the canonical way to rate-limit access to a specific service on a single system. This has three big advantages over using iptalbes:

    • It doesn't block anyone, but it doesn't allow them to exceed their bandwidth cap either (provided you limit the number of connections per source IP).

    • It doesn't clutter your firewall with things that are application-level policy.

    • It is generally very easy to set up. With NGinx, it's quite literally one line (five if you include per-source connection limiting). For Apache, it's two lines (not including the line to load the module).


  2. Use some reverse proxy software (this can even run directly on your application server in some cases) to provide rate limiting. Squid is one of the best examples of this approach, but most reverse proxy options have some kind of support for it. This is the canonical approach if you have multiple backend systems.

  3. Adjust the TCP window scaling parameters. This is reliable and won't break your client if done correctly, and doesn't require any dynamic adjustment once it stabilizes. However, it's non-trivial to set up, and a smart client can work around this to improve performance. This can be done with any server software with some work, but is also limited to per-connection rate limiting.

  4. Use network device queue disciplines combined with connection marking from iptables to do real per-connection rate limiting. This is extremely complex to set up, but has two distinct advantages, namely that it is 100% protocol agnostic (you can use it with anything), and it provides extremely deterministic behavior (which simplifies testing).

If you for some reason absolutely have to use nothing more than iptables, you have three general options:



  1. Use the limit match by itself. This will allow you to limit the number of packets per unit time. By doing some simple math with the MTU for the link, you can easily arrive at a cap for the requested bandwidth.
    For example, to get 400 kilobytes per minute on a link with a MTU of 1500 (standard for Ethernet), you would be looking at a limit of 4 packets per second, or 267 per minute (neither is exact, but they're both within 1%). You will however have to add a rule for each client IP, as the limit is shared for everything that matches the rule.

  2. In a slightly more sophisticated setup, you could use the hashlimit match instead, which would allow for slightly better handling, but suffers from the same rule-per-client limitation as above.

  3. If you absolutely want reactive rate limiting (this is a seriously bad idea, to a degree I absolutely can not emphasize enough here, it will break user expectations on many levels, and is extremely hard to debug by itself, and makes debugging other issues much more difficult), then take a look at the rateest match and target. The target collects data, which you can then match on with the match. That in turn can use the LOG target to trigger action by a userspace helper program which can block the IP.





share|improve this answer






















  • As the question stated, they are not looking for rate limiting, but rather a cut off if the data volume exceeds a limit within a fixed time period.
    – user1998586
    Oct 4 '17 at 7:43










  • @user1998586 That's rate limiting. It's a reactive, hard-capped approach that's typically used in poorly designed homebrew DoS protection setups, but it's still rate limiting.
    – Austin Hemmelgarn
    Oct 4 '17 at 11:36












up vote
2
down vote










up vote
2
down vote









This answer assumes this is an XY Problem, and what you actually want is some way to limit server resource usage on a per-user basis to protect against DoS attacks.



First off, there are much better options that don't involve using just iptables, namely:



  1. Use rate limiting built into whatever server software you're using. Most major web servers have support for this built in or as a standard module. It's also the canonical way to rate-limit access to a specific service on a single system. This has three big advantages over using iptalbes:

    • It doesn't block anyone, but it doesn't allow them to exceed their bandwidth cap either (provided you limit the number of connections per source IP).

    • It doesn't clutter your firewall with things that are application-level policy.

    • It is generally very easy to set up. With NGinx, it's quite literally one line (five if you include per-source connection limiting). For Apache, it's two lines (not including the line to load the module).


  2. Use some reverse proxy software (this can even run directly on your application server in some cases) to provide rate limiting. Squid is one of the best examples of this approach, but most reverse proxy options have some kind of support for it. This is the canonical approach if you have multiple backend systems.

  3. Adjust the TCP window scaling parameters. This is reliable and won't break your client if done correctly, and doesn't require any dynamic adjustment once it stabilizes. However, it's non-trivial to set up, and a smart client can work around this to improve performance. This can be done with any server software with some work, but is also limited to per-connection rate limiting.

  4. Use network device queue disciplines combined with connection marking from iptables to do real per-connection rate limiting. This is extremely complex to set up, but has two distinct advantages, namely that it is 100% protocol agnostic (you can use it with anything), and it provides extremely deterministic behavior (which simplifies testing).

If you for some reason absolutely have to use nothing more than iptables, you have three general options:



  1. Use the limit match by itself. This will allow you to limit the number of packets per unit time. By doing some simple math with the MTU for the link, you can easily arrive at a cap for the requested bandwidth.
    For example, to get 400 kilobytes per minute on a link with a MTU of 1500 (standard for Ethernet), you would be looking at a limit of 4 packets per second, or 267 per minute (neither is exact, but they're both within 1%). You will however have to add a rule for each client IP, as the limit is shared for everything that matches the rule.

  2. In a slightly more sophisticated setup, you could use the hashlimit match instead, which would allow for slightly better handling, but suffers from the same rule-per-client limitation as above.

  3. If you absolutely want reactive rate limiting (this is a seriously bad idea, to a degree I absolutely can not emphasize enough here, it will break user expectations on many levels, and is extremely hard to debug by itself, and makes debugging other issues much more difficult), then take a look at the rateest match and target. The target collects data, which you can then match on with the match. That in turn can use the LOG target to trigger action by a userspace helper program which can block the IP.





share|improve this answer














This answer assumes this is an XY Problem, and what you actually want is some way to limit server resource usage on a per-user basis to protect against DoS attacks.



First off, there are much better options that don't involve using just iptables, namely:



  1. Use rate limiting built into whatever server software you're using. Most major web servers have support for this built in or as a standard module. It's also the canonical way to rate-limit access to a specific service on a single system. This has three big advantages over using iptalbes:

    • It doesn't block anyone, but it doesn't allow them to exceed their bandwidth cap either (provided you limit the number of connections per source IP).

    • It doesn't clutter your firewall with things that are application-level policy.

    • It is generally very easy to set up. With NGinx, it's quite literally one line (five if you include per-source connection limiting). For Apache, it's two lines (not including the line to load the module).


  2. Use some reverse proxy software (this can even run directly on your application server in some cases) to provide rate limiting. Squid is one of the best examples of this approach, but most reverse proxy options have some kind of support for it. This is the canonical approach if you have multiple backend systems.

  3. Adjust the TCP window scaling parameters. This is reliable and won't break your client if done correctly, and doesn't require any dynamic adjustment once it stabilizes. However, it's non-trivial to set up, and a smart client can work around this to improve performance. This can be done with any server software with some work, but is also limited to per-connection rate limiting.

  4. Use network device queue disciplines combined with connection marking from iptables to do real per-connection rate limiting. This is extremely complex to set up, but has two distinct advantages, namely that it is 100% protocol agnostic (you can use it with anything), and it provides extremely deterministic behavior (which simplifies testing).

If you for some reason absolutely have to use nothing more than iptables, you have three general options:



  1. Use the limit match by itself. This will allow you to limit the number of packets per unit time. By doing some simple math with the MTU for the link, you can easily arrive at a cap for the requested bandwidth.
    For example, to get 400 kilobytes per minute on a link with a MTU of 1500 (standard for Ethernet), you would be looking at a limit of 4 packets per second, or 267 per minute (neither is exact, but they're both within 1%). You will however have to add a rule for each client IP, as the limit is shared for everything that matches the rule.

  2. In a slightly more sophisticated setup, you could use the hashlimit match instead, which would allow for slightly better handling, but suffers from the same rule-per-client limitation as above.

  3. If you absolutely want reactive rate limiting (this is a seriously bad idea, to a degree I absolutely can not emphasize enough here, it will break user expectations on many levels, and is extremely hard to debug by itself, and makes debugging other issues much more difficult), then take a look at the rateest match and target. The target collects data, which you can then match on with the match. That in turn can use the LOG target to trigger action by a userspace helper program which can block the IP.






share|improve this answer














share|improve this answer



share|improve this answer








edited Oct 4 '17 at 11:41

























answered Oct 2 '17 at 19:33









Austin Hemmelgarn

5,2041915




5,2041915











  • As the question stated, they are not looking for rate limiting, but rather a cut off if the data volume exceeds a limit within a fixed time period.
    – user1998586
    Oct 4 '17 at 7:43










  • @user1998586 That's rate limiting. It's a reactive, hard-capped approach that's typically used in poorly designed homebrew DoS protection setups, but it's still rate limiting.
    – Austin Hemmelgarn
    Oct 4 '17 at 11:36
















  • As the question stated, they are not looking for rate limiting, but rather a cut off if the data volume exceeds a limit within a fixed time period.
    – user1998586
    Oct 4 '17 at 7:43










  • @user1998586 That's rate limiting. It's a reactive, hard-capped approach that's typically used in poorly designed homebrew DoS protection setups, but it's still rate limiting.
    – Austin Hemmelgarn
    Oct 4 '17 at 11:36















As the question stated, they are not looking for rate limiting, but rather a cut off if the data volume exceeds a limit within a fixed time period.
– user1998586
Oct 4 '17 at 7:43




As the question stated, they are not looking for rate limiting, but rather a cut off if the data volume exceeds a limit within a fixed time period.
– user1998586
Oct 4 '17 at 7:43












@user1998586 That's rate limiting. It's a reactive, hard-capped approach that's typically used in poorly designed homebrew DoS protection setups, but it's still rate limiting.
– Austin Hemmelgarn
Oct 4 '17 at 11:36




@user1998586 That's rate limiting. It's a reactive, hard-capped approach that's typically used in poorly designed homebrew DoS protection setups, but it's still rate limiting.
– Austin Hemmelgarn
Oct 4 '17 at 11:36


Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?