Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am attempting to limit the number of outgoing port 80 TCP connections from my box to a certain domain, say google.com, to, say, 1 connection per minute. I flush, set and list my iptables rules with the following command:
This does not limit the connections as I had hoped. Downloading http://www.google.com with curl proceeds as fast as my connection will allow. Using domains that resolve to only a single host exhibit the same issue.
Obviously I've incorrectly configured iptables to do my bidding. I do not, however, see my error. A bit of help?
As for this not being possible, what do you mean? Outgoing rate limiting is fairly rare, certainly, but iptables is able to do it. For instance, SMTP traffic is often outbound rate limited to decrease the amount of spam a cracked box can spew before the box can be taken offline.
As for this not being possible, what do you mean? Outgoing rate limiting is fairly rare, certainly, but iptables is able to do it. For instance, SMTP traffic is often outbound rate limited to decrease the amount of spam a cracked box can spew before the box can be taken offline.
I believe that is just limiting the number of connections the outbound smtp traffic makes. similar to what I do with my SSH, to block someone from making 50 connections to port 22 in the course of a second. Ill look into it some more nad let you know if I find anything.
I believe that is just limiting the number of connections the outbound smtp traffic makes.
Yes, it is. In fact, that is _exactly_ what I'm trying to do. I'm trying to limit, as you put it, the number of connections the output HTTP traffic makes. I don't care one little bit about the bandwidth each connection consumes, bandwidth being the primary focus of tc.
I simply want to filter outbound TCP packets to a certain host on a certain port, such an activity being the primary focus of iptables.
Oh, sorry for the misunderstanding. I can show you the little script I made that simply checks to see if the same person is making an attempt to connect to ssh more than 3 times it blocks them... you might be able to bend this to your will.
Code:
iptables -N SSH_CHECK
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
iptables -A SSH_CHECK -m recent --set --name SSH
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 2 --name SSH -j LOG --log-prefix "New info: " --log-level info
iptables -A SSH_CHECK -m recent --update --seconds 60 --hitcount 2 --name SSH -j DROP
Hope this helps you out a little bit more than my previous information.
Your SSH limits are for inbound connections, entirely specific to SSH and are something of a non sequitur. They help not at all and are more poorly considered than then enjoinders to read LARTC or use tc.
Well, shouldnt you just be able to change the chain name, and change destination ports so that it is looking at destination port 80 rather than 22.
From your initial post you made it seem as though you wanted to limit the bandwidth, because you said it still downloads google as fast as your connection allows. How do you know it is actually making more than 1 connection? It could just be using that one connection at full speed?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.