LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-08-2017, 10:38 AM   #1
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Rep: Reputation: Disabled
limit udp traffic per ip using iptables only


i am currently making test udp flood on my ubuntu server as we see in screenshot below

screenshot

in this screenshot we see the ip attacker is 162.222.73.109 and this ip is consumed all trafic (100mbps)

my question how can i limit traffic per ip/second ?

i mean if he made udp flood he just get 1 mb/second not full 100mb/second
 
Old 04-08-2017, 11:20 AM   #2
whynotkeithberg
LQ Newbie
 
Registered: Nov 2013
Location: Murder Dubs... Oakland CA
Distribution: RHEL
Posts: 20

Rep: Reputation: Disabled
You'd most likely want to use tc. However, if you're trying to defend against it you'd most likely just want to block the IP. However... that being said the traffic is still going to reach your server and clog the network. To truly solve it you'd need to block it somewhere upstream where there is a bigger pipe. Or you could use a service such as Cloudflare that you use as a proxy to your site. All traffic initially goes to their network where they filter DDoS for you and then send the proper traffic to your server. Thus protecting you from the DDoS.

However... If you're just trying to test something just use tc.

http://lartc.org/howto/lartc.ratelimit.single.html
 
Old 04-08-2017, 11:26 AM   #3
end
Member
 
Registered: Aug 2016
Posts: 233

Rep: Reputation: Disabled
hy

iptables -I INPUT -p tcp -m udp -s "putip" --dport 80 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

iptables -I INPUT -p tcp -m udp -s "putip" --dport 443 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

or

#iptables -I INPUT -p udp --dport 80 -m state --state NEW -m recent --set

#iptables -I INPUT -p udp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

#iptables -I INPUT -p udp --dport 443 -m state --state NEW -m recent --set

#iptables -I INPUT -p udp --dport 443 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

put -s source ip or leave it to apply for all connected ip. play with seconds and hitcount to find right values for your server.
 
Old 04-08-2017, 11:27 AM   #4
whynotkeithberg
LQ Newbie
 
Registered: Nov 2013
Location: Murder Dubs... Oakland CA
Distribution: RHEL
Posts: 20

Rep: Reputation: Disabled
That's not limiting by speed though which is what he wants. Plus he was talking UDP not TCP.
 
Old 04-08-2017, 11:34 AM   #5
end
Member
 
Registered: Aug 2016
Posts: 233

Rep: Reputation: Disabled
hy

just change tcp to udp. yes sorry i didnt see abot bandwith.
 
Old 04-08-2017, 12:04 PM   #6
end
Member
 
Registered: Aug 2016
Posts: 233

Rep: Reputation: Disabled
hy

you can check hash limit option if you whant use only iptables

http://www.iptables.info/en/iptables...HASHLIMITMATCH
 
Old 04-08-2017, 12:05 PM   #7
whynotkeithberg
LQ Newbie
 
Registered: Nov 2013
Location: Murder Dubs... Oakland CA
Distribution: RHEL
Posts: 20

Rep: Reputation: Disabled
tc is traffic controller. What he is asking to do is literally what it's designed for. I'm 99.9% sure that iptables CANNOT do traffic shaping (limiting by a specific amount of bandwidth)
 
Old 04-08-2017, 12:07 PM   #8
whynotkeithberg
LQ Newbie
 
Registered: Nov 2013
Location: Murder Dubs... Oakland CA
Distribution: RHEL
Posts: 20

Rep: Reputation: Disabled
I use tc at work all the time to implement packet loss, low bandwidth simulations and more to do systems tests at work and see how well our applications handle network issues.
 
Old 04-08-2017, 12:12 PM   #9
end
Member
 
Registered: Aug 2016
Posts: 233

Rep: Reputation: Disabled
you are right about tc and that iptables canot do bandwith control. but with conection limit or hash he can acomplish bandwith consuption per ip. he ask about iptables maybe is not strict bandwith control but he can acomplist consuption with these options.
 
Old 04-08-2017, 12:14 PM   #10
whynotkeithberg
LQ Newbie
 
Registered: Nov 2013
Location: Murder Dubs... Oakland CA
Distribution: RHEL
Posts: 20

Rep: Reputation: Disabled
He specifically asks about limiting it to 1Mbps. So being able to limit IP's by a specific amount of bandwidth per second. Something iptables cannot do. What you're talking about can slow down connections by limiting how many they have. however, it can't limit the speed in any way through that connection.
 
Old 04-08-2017, 12:21 PM   #11
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
thank you all for reply,

actually this is not a website this is a gaming host vps so i use only udp ports

@whynotkeithberg yes you are right i can prevent them by blocking his ip but this test from me and i need to block this DOS automatically or not block just limit him like 1 mb/s as max.

@end thank you for making rules i will test it and share result here, but please can you give the end rules after editing it to udp ports ?

my edit will be like this

iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --set

iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

and this

iptables -I INPUT -p udp -m udp -s "162.222.73.98" --dport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP


this right ??


after test those rules, the result is same

Last edited by Obada; 04-08-2017 at 12:32 PM.
 
Old 04-08-2017, 12:36 PM   #12
end
Member
 
Registered: Aug 2016
Posts: 233

Rep: Reputation: Disabled
you are right . but for udp flood i think its better hash limit, or connection limit beacouse if you reduce to 1mb's, packets still comming you just reduce their speed.

yes you wrote it right. just play with hitcount and seconds. remove quotes from ip.
try change --dport to -sport 27043

Code:
iptables -I INPUT -p udp -m udp -s 162.222.73.98 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

Last edited by end; 04-08-2017 at 12:54 PM.
 
Old 04-08-2017, 01:13 PM   #13
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
same problem :\ .....

this screenshot from attacker as you can see i reduce the byte from 1024 to 90 to don't turnoff on my players

attacker screenshot

so not all udp traffic go down it consumed 70 mb/s rather than 100mb/s but if i set the byte to 1024 all traffic go to attacker ip

victim screenshot

this
Code:
iptables -L
command

screenshot
 
Old 04-08-2017, 02:26 PM   #14
end
Member
 
Registered: Aug 2016
Posts: 233

Rep: Reputation: Disabled
put same comands in OUTPUT

iptables -I OUTPUT -p udp -d 162.222.73.98 --sport 27043 -m state --state NEW -m recent --set

iptables -I IOUTPUT -p udp -d 162.222.73.98 --sport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

iptables -I OUTPUT -p udp -m udp -d 162.222.73.98 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP

Last edited by end; 04-08-2017 at 02:39 PM.
 
Old 04-08-2017, 03:15 PM   #15
Obada
LQ Newbie
 
Registered: Apr 2017
Posts: 21

Original Poster
Rep: Reputation: Disabled
no effect

my try is flush iptables then add this rules

Code:
iptables -I OUTPUT -p udp -d 162.222.73.243 --sport 27043 -m state --state NEW -m recent --set

iptables -I OUTPUT -p udp -d 162.222.73.243 --sport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

iptables -I OUTPUT -p udp -m udp -d 162.222.73.243 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
after fail

add the input with output


Code:
iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --set
iptables -I INPUT -p udp --dport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP
iptables -I INPUT -p udp -m udp -s 162.222.73.243 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP



iptables -I OUTPUT -p udp -d 162.222.73.243 --sport 27043 -m state --state NEW -m recent --set

iptables -I OUTPUT -p udp -d 162.222.73.243 --sport 27043 -m state --state NEW -m recent --update --seconds 1 --hitcount 2 -j DROP

iptables -I OUTPUT -p udp -m udp -d 162.222.73.243 --sport 27043 -m connlimit --connlimit-above 1 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j DROP
and fail
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: trying to forward UDP traffic jbbroccard2 Linux - Networking 2 07-27-2017 01:11 AM
UDP traffic unauthorized on Ubuntu 10.04 galen Linux - Security 2 03-12-2011 07:05 PM
Should traffic control root qdsic & child class limit traffic? Washington Ratso Linux - Networking 0 02-23-2011 07:16 PM
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 11:26 AM
how to limit traffic a device (eth0) using iptables? modpriest Linux - Software 1 09-04-2008 01:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration