Linux - DesktopThis forum is for the discussion of all Linux Software used in a desktop context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
I use the following iptables rules and I want to know can it reduce my Internet speed:
Code:
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -N SYN_FLOOD
iptables -A INPUT -p tcp --syn -j SYN_FLOOD
iptables -A SYN_FLOOD -m limit --limit 5/s --limit-burst 10 -j RETURN
iptables -A SYN_FLOOD -j DROP
You need to define your use case and what your objective is much more clearly.
Your rules limit the number of new TCP requests which get through, but that is not equivalent to limiting "internet speed", not even close.
As your rules are applied to incoming requests I would conclude that this is for an internet exposed server of some sort, not a desktop machine. If so, these rules are inadequate for any real world purpose.
In general iptables rules cannot limit speed, that requires another tool named tc (for traffic control). See man tc for an introduction.
Last edited by astrogeek; 04-29-2023 at 12:27 PM.
Reason: ptoy
Kind of two things going on. One is software based filtering. Two is the amount of processing power that might be needed to enforce the rules. I can't guess that so I agree with need for testing on your use.
Generally the sales pitch for hardware based devices is that they are designed to operate closer to wire speeds.
You need to define your use case and what your objective is much more clearly.
Your rules limit the number of new TCP requests which get through, but that is not equivalent to limiting "internet speed", not even close.
As your rules are applied to incoming requests I would conclude that this is for an internet exposed server of some sort, not a desktop machine. If so, these rules are inadequate for any real world purpose.
In general iptables rules cannot limit speed, that requires another tool named tc (for traffic control). See man tc for an introduction.
Hello,
Thank you so much for your reply.
I mean downloading through the Internet.
What do you mean?
Quote:
If so, these rules are inadequate for any real world purpose.
I mean downloading through the Internet.
What do you mean?
Read the iptables ruleset that you posted, it won't affect a desktop system in any meaningful way. As mentioned tc is used for traffic shaping, in conjunction with either iptables or nftables. The latter is preferable, so if you are starting out, ignore iptables and focus on nftables instead.
One thing about traffic shaping rules is that they can only really affect outgoing bandwidth. Random Early Detection might be an option for influencing incoming connections but by and large traffic shaping only affects outgoing data.
Hello,
Thank you so much for your reply.
I mean downloading through the Internet.
What do you mean?
What I meant about the rules being inadequate was that if this were for a server (which apparently it is not) then those rules would not provide any useful level of function. For an internet facing server you would want to manage connections by protocol, port and probably other parameters.
If this is for a desktop computer, presumably behind a router, you should probably not see any NEW or SYN packets from the outside world unless you have enabled selected pass through in the router. So limiting the number of SYN packets will not really affect anything and those rules serve no useful purpose here either.
As mentioned, you can only control the speed (actually bandwidth) of outgoing traffic because the sender determines how fast incoming traffic arrives. Typically, to limit download speed from the internet you want to delay outgoing ACK packets as a function of the total number of bytes received per second. You can do this with iptables/tc, but if you simply want to limit the bandwidth of specific large downloads so as to allow other uses like web browsing to continue at the same time, perhaps using a utility which allows you to throttle bandwidth like wget would provide a simpler solution.
So the real qusetion is, what problem are you actually trying to solve?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.