[SOLVED] IPTABLES bandwidth quota not working for linux router.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IPTABLES bandwidth quota not working for linux router.
Dear All,
My OS:- Red Hat Enterprise Linux Server release 5 (Tikanga)
Kernel:-
Linux www 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 i386 GNU/Linux
My linux box is working as a router with two NIC.
a) eth0=10.10.56.23 (which is connected to internet via NATING)
eth1=10.136.15.197 (which is connected to internel N/w).
The box is acting as a gateway to the internet where customers connect to eth1 and by iptable forward rule the same gets out to eth0 to internet.
below is my iptable file from /etc/sysconfig
=============================================================
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*mangle
:PREROUTING ACCEPT [35:5022]
:INPUT ACCEPT [35:5022]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1734]
:POSTROUTING ACCEPT [12:1734]
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*filter
:INPUT ACCEPT [10:1578]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1734]
:LOGDROP - [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s ! 192.168.3.0/255.255.255.248 -i eth0 -p tcp -m tcp --dport 2222 -j LOGDROP
-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth1 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A LOGDROP -j LOG --log-prefix "LOGDROP "
-A LOGDROP -j DROP
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*nat
:PREROUTING ACCEPT [6:1020]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [2:153]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
===========================================================
but when i apply(add) the iptable rule before the TWO FORWARD rules
-A INPUT -i eth1 -p tcp -m quota --quota 10000 -j ACCEPT
-A INPUT -i eth1 -p tcp -j DROP
it blocks the http traffic from client (eg 10.136.15.196/customer to 10.136.15.197/eth1),till the limit of 10000 which is fine, but my forward traffic which is also going to eth0(wan) and then to internet from eth1(customers), is not getting blocked(remains unlimited).
So in summary I want to mean that traffic destined till eth1 is getting blocked, but traffic destined to internet via eth0 is not getting blocked.
Also Let me tell what I have done post New Installation:-
1. Defined the eth0 as 10.10.56.23
2. Define eth1 as 10.136.15.197
3. enabled ip forwarding in the sysctl.conf
Controls IP packet forwarding
net.ipv4.ip_forward = 1
4. applied the below for firewall rules (after flushing all the iptable rules)
iptables -A FORWARD --in-interface eth1 --out-interface eth0 --source 10.136.0.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
Any help in this regard will be highly appeciable.
Last edited by diptanu; 08-06-2010 at 05:53 AM.
Reason: Missed the OS and the kernel name
Hi etabroo,
thanks a lot for your help..
however would be very much thankfull if you could provide me the snippets of the forward rule that I need to put..I suppose the below should be the rule you want to mean.(marked in RED)
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*mangle
:PREROUTING ACCEPT [35:5022]
:INPUT ACCEPT [35:5022]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1734]
:POSTROUTING ACCEPT [12:1734]
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*filter
:INPUT ACCEPT [10:1578]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1734]
:LOGDROP - [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s ! 192.168.3.0/255.255.255.248 -i eth0 -p tcp -m tcp --dport 2222 -j LOGDROP
-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth0 -p tcp -m quota --quota 10000 -j ACCEPT
-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth0 -p tcp -j DROP
-A FORWARD -s 10.136.0.0/255.255.255.0 -i eth1 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A LOGDROP -j LOG --log-prefix "LOGDROP "
-A LOGDROP -j DROP
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
# Generated by iptables-save v1.3.5 on Mon Apr 19 23:22:06 2010
*nat
:PREROUTING ACCEPT [6:1020]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [2:153]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon Apr 19 23:22:06 2010
Last edited by diptanu; 08-06-2010 at 07:42 AM.
Reason: typo format error
Hi Etabroo,
Thanks a lot for your kind help.But I tried the RED ones, but its not working.
But Next what is did is putting the below rules which working as per my requirement
iptables -t mangle -A PREROUTING -i eth1 -p tcp -m quota --quota 100000 -j ACCEPT
iptables -t mangle -A PREROUTING -i eth1 -p tcp -j LOG --log-prefix "quotaover " --log-level 4
iptables -t mangle -A PREROUTING -i eth1 -p tcp -j DROP
But one strange thing is for example I m have fixed the quota to 3000bytes, and then i randomly doewnload video to exceed the quota,and once i exceed the quota i again and again (very fast)execute the command below to check the status for the quota
iptables -t mangle -L -v
then I see that the left out quota (usually 0 bytes as I have exceeded the defined quota of 3000) keeps on changing automatically and randomly.sometimes it comes to again the original value(3000) and then again reverts to 0 value.it keeps on fluctualting between 3000 and 0.But one good thing is I am not able to surf the internet once the I have crossed the quota (though the value keeps on changing)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.