LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 03-01-2009, 04:08 PM   #1
goofyheadedpunk
Member
 
Registered: Aug 2003
Distribution: Arch Linux
Posts: 140

Rep: Reputation: 15
Outgoing rate limiting with iptables problem.


I am attempting to limit the number of outgoing port 80 TCP connections from my box to a certain domain, say google.com, to, say, 1 connection per minute. I flush, set and list my iptables rules with the following command:

Code:
iptables -F OUTPUT  && iptables -A OUTPUT -p tcp -d google.com --dport 80 -m limit --limit 1/minute  --limit-burst 1 -j ACCEPT && iptables -L OUTPUT
The result is this:

Code:
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             yx-in-f100.google.com tcp dpt:80 limit: avg 1/min burst 1 
ACCEPT     tcp  --  anywhere             cg-in-f100.google.com tcp dpt:80 limit: avg 1/min burst 1 
ACCEPT     tcp  --  anywhere             gw-in-f100.google.com tcp dpt:80 limit: avg 1/min burst 1
This does not limit the connections as I had hoped. Downloading http://www.google.com with curl proceeds as fast as my connection will allow. Using domains that resolve to only a single host exhibit the same issue.

Obviously I've incorrectly configured iptables to do my bidding. I do not, however, see my error. A bit of help?
 
Old 03-01-2009, 04:40 PM   #2
DragonM15
Member
 
Registered: Sep 2003
Location: USA
Distribution: Slackware (Multiple Versions)
Posts: 455

Rep: Reputation: 31
I dont believe that this is possible with iptables. From what I have seen anyways. This site might help you out.

http://lartc.org/
 
Old 03-01-2009, 04:52 PM   #3
goofyheadedpunk
Member
 
Registered: Aug 2003
Distribution: Arch Linux
Posts: 140

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by DragonM15 View Post
I dont believe that this is possible with iptables. From what I have seen anyways. This site might help you out.

http://lartc.org/
I have read the Linux routing guide, thank you.

As for this not being possible, what do you mean? Outgoing rate limiting is fairly rare, certainly, but iptables is able to do it. For instance, SMTP traffic is often outbound rate limited to decrease the amount of spam a cracked box can spew before the box can be taken offline.
 
Old 03-01-2009, 05:01 PM   #4
DragonM15
Member
 
Registered: Sep 2003
Location: USA
Distribution: Slackware (Multiple Versions)
Posts: 455

Rep: Reputation: 31
Quote:
Originally Posted by goofyheadedpunk View Post
I have read the Linux routing guide, thank you.

As for this not being possible, what do you mean? Outgoing rate limiting is fairly rare, certainly, but iptables is able to do it. For instance, SMTP traffic is often outbound rate limited to decrease the amount of spam a cracked box can spew before the box can be taken offline.
I believe that is just limiting the number of connections the outbound smtp traffic makes. similar to what I do with my SSH, to block someone from making 50 connections to port 22 in the course of a second. Ill look into it some more nad let you know if I find anything.
 
Old 03-01-2009, 05:08 PM   #5
DragonM15
Member
 
Registered: Sep 2003
Location: USA
Distribution: Slackware (Multiple Versions)
Posts: 455

Rep: Reputation: 31
From what i have read it isnt possible with iptables, but it IS possible with tc... There are some examples here
 
Old 03-01-2009, 05:18 PM   #6
goofyheadedpunk
Member
 
Registered: Aug 2003
Distribution: Arch Linux
Posts: 140

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by DragonM15 View Post
I believe that is just limiting the number of connections the outbound smtp traffic makes.
Yes, it is. In fact, that is _exactly_ what I'm trying to do. I'm trying to limit, as you put it, the number of connections the output HTTP traffic makes. I don't care one little bit about the bandwidth each connection consumes, bandwidth being the primary focus of tc.

I simply want to filter outbound TCP packets to a certain host on a certain port, such an activity being the primary focus of iptables.
 
Old 03-01-2009, 05:33 PM   #7
DragonM15
Member
 
Registered: Sep 2003
Location: USA
Distribution: Slackware (Multiple Versions)
Posts: 455

Rep: Reputation: 31
Oh, sorry for the misunderstanding. I can show you the little script I made that simply checks to see if the same person is making an attempt to connect to ssh more than 3 times it blocks them... you might be able to bend this to your will.
Code:
iptables -N SSH_CHECK

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 2 --name SSH -j LOG --log-prefix "New info: " --log-level info
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
Hope this helps you out a little bit more than my previous information.
 
Old 03-01-2009, 05:39 PM   #8
goofyheadedpunk
Member
 
Registered: Aug 2003
Distribution: Arch Linux
Posts: 140

Original Poster
Rep: Reputation: 15
Your SSH limits are for inbound connections, entirely specific to SSH and are something of a non sequitur. They help not at all and are more poorly considered than then enjoinders to read LARTC or use tc.
 
Old 03-01-2009, 06:21 PM   #9
DragonM15
Member
 
Registered: Sep 2003
Location: USA
Distribution: Slackware (Multiple Versions)
Posts: 455

Rep: Reputation: 31
Well, shouldnt you just be able to change the chain name, and change destination ports so that it is looking at destination port 80 rather than 22.

From your initial post you made it seem as though you wanted to limit the bandwidth, because you said it still downloads google as fast as your connection allows. How do you know it is actually making more than 1 connection? It could just be using that one connection at full speed?
 
Old 03-01-2009, 06:31 PM   #10
DragonM15
Member
 
Registered: Sep 2003
Location: USA
Distribution: Slackware (Multiple Versions)
Posts: 455

Rep: Reputation: 31
As an afterthought, you might try:
Code:
iptables -A OUTPUT -o eth0 -p tcp --syn --dport 80 -m connlimit --connlimit-above 1 -j DROP
might work?

EDIT: There is no ":" necessary after 80 as I had before.

Last edited by DragonM15; 03-01-2009 at 06:36 PM.
 
Old 03-01-2009, 06:34 PM   #11
DragonM15
Member
 
Registered: Sep 2003
Location: USA
Distribution: Slackware (Multiple Versions)
Posts: 455

Rep: Reputation: 31
Once again, sorry for my misunderstanding of what you were trying to do. Hopefully my previous post is what you need.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Connection rate limiting rodm13 Linux - Networking 1 11-16-2007 05:31 AM
Traffic rate limiting per IP on CentOS 5.0? Trionnis Linux - Networking 2 05-17-2007 07:54 AM
Limiting Bandwidth On Internet When Incoming/Outgoing Call newyorkrebell Linux - Networking 1 04-20-2006 07:15 AM
Rate limiting with Iptables on port 21 rino2003 Linux - Networking 1 12-26-2004 06:34 PM
Kernel Rate Limiting mikeyt_3333 Linux - Networking 1 10-25-2001 11:40 AM


All times are GMT -5. The time now is 08:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration