Outgoing rate limiting with iptables problem.

goofyheadedpunk · 03-01-2009, 04:08 PM

I am attempting to limit the number of outgoing port 80 TCP connections from my box to a certain domain, say google.com, to, say, 1 connection per minute. I flush, set and list my iptables rules with the following command:

Code:

iptables -F OUTPUT  && iptables -A OUTPUT -p tcp -d google.com --dport 80 -m limit --limit 1/minute  --limit-burst 1 -j ACCEPT && iptables -L OUTPUT

The result is this:

Code:

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             yx-in-f100.google.com tcp dpt:80 limit: avg 1/min burst 1 
ACCEPT     tcp  --  anywhere             cg-in-f100.google.com tcp dpt:80 limit: avg 1/min burst 1 
ACCEPT     tcp  --  anywhere             gw-in-f100.google.com tcp dpt:80 limit: avg 1/min burst 1

This does not limit the connections as I had hoped. Downloading http://www.google.com with curl proceeds as fast as my connection will allow. Using domains that resolve to only a single host exhibit the same issue.

Obviously I've incorrectly configured iptables to do my bidding. I do not, however, see my error. A bit of help?

DragonM15 · 03-01-2009, 04:40 PM

I dont believe that this is possible with iptables. From what I have seen anyways. This site might help you out.

http://lartc.org/

goofyheadedpunk · 03-01-2009, 04:52 PM

Quote:

Originally Posted by DragonM15

I dont believe that this is possible with iptables. From what I have seen anyways. This site might help you out.

http://lartc.org/

I have read the Linux routing guide, thank you.

As for this not being possible, what do you mean? Outgoing rate limiting is fairly rare, certainly, but iptables is able to do it. For instance, SMTP traffic is often outbound rate limited to decrease the amount of spam a cracked box can spew before the box can be taken offline.

DragonM15 · 03-01-2009, 05:01 PM

Quote:

Originally Posted by goofyheadedpunk

I have read the Linux routing guide, thank you.

As for this not being possible, what do you mean? Outgoing rate limiting is fairly rare, certainly, but iptables is able to do it. For instance, SMTP traffic is often outbound rate limited to decrease the amount of spam a cracked box can spew before the box can be taken offline.

I believe that is just limiting the number of connections the outbound smtp traffic makes. similar to what I do with my SSH, to block someone from making 50 connections to port 22 in the course of a second. Ill look into it some more nad let you know if I find anything.

DragonM15 · 03-01-2009, 05:08 PM

From what i have read it isnt possible with iptables, but it IS possible with tc... There are some examples here

goofyheadedpunk · 03-01-2009, 05:18 PM

Quote:

Originally Posted by DragonM15

I believe that is just limiting the number of connections the outbound smtp traffic makes.

Yes, it is. In fact, that is _exactly_ what I'm trying to do. I'm trying to limit, as you put it, the number of connections the output HTTP traffic makes. I don't care one little bit about the bandwidth each connection consumes, bandwidth being the primary focus of tc.

I simply want to filter outbound TCP packets to a certain host on a certain port, such an activity being the primary focus of iptables.

DragonM15 · 03-01-2009, 05:33 PM

Oh, sorry for the misunderstanding. I can show you the little script I made that simply checks to see if the same person is making an attempt to connect to ssh more than 3 times it blocks them... you might be able to bend this to your will.

Code:

iptables -N SSH_CHECK

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 2 --name SSH -j LOG --log-prefix "New info: " --log-level info
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP

Hope this helps you out a little bit more than my previous information.

goofyheadedpunk · 03-01-2009, 05:39 PM

Your SSH limits are for inbound connections, entirely specific to SSH and are something of a non sequitur. They help not at all and are more poorly considered than then enjoinders to read LARTC or use tc.

DragonM15 · 03-01-2009, 06:21 PM

Well, shouldnt you just be able to change the chain name, and change destination ports so that it is looking at destination port 80 rather than 22.

From your initial post you made it seem as though you wanted to limit the bandwidth, because you said it still downloads google as fast as your connection allows. How do you know it is actually making more than 1 connection? It could just be using that one connection at full speed?

DragonM15 · 03-01-2009, 06:31 PM

As an afterthought, you might try:

Code:

iptables -A OUTPUT -o eth0 -p tcp --syn --dport 80 -m connlimit --connlimit-above 1 -j DROP

might work?

EDIT: There is no ":" necessary after 80 as I had before.

DragonM15 · 03-01-2009, 06:34 PM

Once again, sorry for my misunderstanding of what you were trying to do. Hopefully my previous post is what you need.