Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Yes, that's what the -limit option is all about. But it's limiting frames per second, not bytes per second.
10K bytes / 1500 byte MTU = 6.66 frames per second. So you might add something like "-limit 6 -limit-burst 12" to your iptables rule to ensure you never go over 10K bytes per second. If you make the rule too general (all protocols, all ports), protocols that use smaller frames (eg. IM) will get severely restricted though. YMMV.
Of course, replace eth0 with whatever your interface is actually called. Also, I'm not entirely sure this will do what you want. Shouldn't you be doing the inverse of this? That is, setting an ACCEPT rule like this, and letting the other packets hit the DROP policy (or DROP rule below the ACCEPT).
BTW, I should mention that after reading the OP I think the connbytes match module might be better suited for this than the limit module. It's just a thought.
Code:
connbytes
Match by how many bytes or packets a connection (or one of the two
flows constituting the connection) have tranferred so far, or by aver‐
age bytes per packet.
The counters are 64bit and are thus not expected to overflow ;)
The primary use is to detect long-lived downloads and mark them to be
scheduled using a lower priority band in traffic control.
The transfered bytes per connection can also be viewed through
/proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
match packets from a connection whose packets/bytes/average
packet size is more than FROM and less than TO bytes/packets. if
TO is omitted only FROM check is done. "!" is used to match
packets not falling in the range.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes trans‐
ferred or the average size (in bytes) of all packets received so
far. Note that when "both" is used together with "avgpkt", and
data is going (mainly) only in one direction (for example HTTP),
the average packet size will be about half of the actual data
packets.
Example:
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-
dir both --connbytes-mode bytes ...
yeah i was going to say this, the limit wasn't the rule that i'm looking for but i think connbytes is the thing i am looking for, i'm going to search this, thanks for your help =) you're the best
when i have no rules for port 27015 tcp on iptables, it does not allow to access, i think this is normal. but when i try to use connbytes, it does not help at all it does nothing
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
