LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Maximum packet size (https://www.linuxquestions.org/questions/linux-security-4/maximum-packet-size-567471/)

mrtcn 07-07-2007 06:43 PM

Maximum packet size
 
Hi. I want to limit maximum packet size transferred per second to 10kb or limit any packet size to 10kb max. can i do this with iptables?

thanks =)

lambchops468 07-08-2007 12:06 PM

aren't packet sizes over TCP/IP max 1500 bytes?

mrtcn 07-08-2007 01:38 PM

ooops i didn't knew that... then i want to limit the upload to 10kb/s per second per ip =(

whistl 07-08-2007 02:22 PM

use -limit
 
Yes, that's what the -limit option is all about. But it's limiting frames per second, not bytes per second.

10K bytes / 1500 byte MTU = 6.66 frames per second. So you might add something like "-limit 6 -limit-burst 12" to your iptables rule to ensure you never go over 10K bytes per second. If you make the rule too general (all protocols, all ports), protocols that use smaller frames (eg. IM) will get severely restricted though. YMMV.

Good Luck!

mrtcn 07-08-2007 03:39 PM

i am stranger to iptables
i want to drop tcp packets coming to 27015 by the -limit 6 -limit-burst 12, can you write the full code :(

thanks =)

mrtcn 07-09-2007 04:32 PM

it's kind of urgent, can anyone help?

win32sux 07-09-2007 04:50 PM

Quote:

Originally Posted by mrtcn
i am stranger to iptables
i want to drop tcp packets coming to 27015 by the -limit 6 -limit-burst 12, can you write the full code

This would go like this:
Code:

iptables -I INPUT -p TCP -i eth0 --dport 27015 \
-m limit --limit 6/second --limit-burst 12 -j DROP

Of course, replace eth0 with whatever your interface is actually called. Also, I'm not entirely sure this will do what you want. Shouldn't you be doing the inverse of this? That is, setting an ACCEPT rule like this, and letting the other packets hit the DROP policy (or DROP rule below the ACCEPT).

mrtcn 07-09-2007 04:59 PM

this code drops all the tcp connection on 27015 :(

win32sux 07-09-2007 05:11 PM

Quote:

Originally Posted by mrtcn
this code drops all the tcp connection on 27015 :(

I suspect you need to do the inverse then, as mentioned above. Like:
Code:

iptables -A INPUT -p TCP -i eth0 --dport 27015 \
-m limit --limit 6/second --limit-burst 12 -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 27015 -j DROP

Make sure you have the DROP rule after the ACCEPT one, and make sure both rules are before any rule that could send the 27015 packets to ACCEPT.

win32sux 07-09-2007 05:36 PM

BTW, I should mention that after reading the OP I think the connbytes match module might be better suited for this than the limit module. It's just a thought.
Code:

  connbytes
      Match  by  how  many  bytes  or packets a connection (or one of the two
      flows constituting the connection) have tranferred so far, or by  aver‐
      age bytes per packet.

      The counters are 64bit and are thus not expected to overflow ;)

      The  primary  use is to detect long-lived downloads and mark them to be
      scheduled using a lower priority band in traffic control.

      The  transfered  bytes  per  connection  can  also  be  viewed  through
      /proc/net/ip_conntrack and accessed via ctnetlink

      [!] --connbytes from:[to]
              match  packets  from  a  connection  whose packets/bytes/average
              packet size is more than FROM and less than TO bytes/packets. if
              TO  is  omitted  only  FROM  check is done. "!" is used to match
              packets not falling in the range.

      --connbytes-dir [original|reply|both]
              which packets to consider

      --connbytes-mode [packets|bytes|avgpkt]
              whether to check the amount of packets, number of  bytes  trans‐
              ferred or the average size (in bytes) of all packets received so
              far. Note that when "both" is used together with  "avgpkt",  and
              data is going (mainly) only in one direction (for example HTTP),
              the average packet size will be about half of  the  actual  data
              packets.

      Example:
              iptables  ..  -m connbytes --connbytes 10000:100000 --connbytes-
              dir both --connbytes-mode bytes ...


mrtcn 07-09-2007 06:22 PM

yeah i was going to say this, the limit wasn't the rule that i'm looking for but i think connbytes is the thing i am looking for, i'm going to search this, thanks for your help =) you're the best

mrtcn 07-10-2007 04:45 AM

i've searched but i couldn't find.. any help :(

i am also using configserver firewall, i really must do this..

win32sux 07-10-2007 12:33 PM

Quote:

Originally Posted by mrtcn
i've searched but i couldn't find.. any help :(

i am also using configserver firewall, i really must do this..

What do you mean? Where are you stuck?

mrtcn 07-11-2007 02:53 AM

when i have no rules for port 27015 tcp on iptables, it does not allow to access, i think this is normal. but when i try to use connbytes, it does not help at all it does nothing :(

win32sux 07-11-2007 03:38 PM

Can you post the exact rule you are using? Also, post the output of:
Code:

iptables -nvL


All times are GMT -5. The time now is 11:51 AM.