LinuxQuestions.org - Maximum packet size

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Maximum packet size (https://www.linuxquestions.org/questions/linux-security-4/maximum-packet-size-567471/)

Maximum packet size

Hi. I want to limit maximum packet size transferred per second to 10kb or limit any packet size to 10kb max. can i do this with iptables?

thanks =)

aren't packet sizes over TCP/IP max 1500 bytes?

ooops i didn't knew that... then i want to limit the upload to 10kb/s per second per ip =(

Yes, that's what the -limit option is all about. But it's limiting frames per second, not bytes per second.

10K bytes / 1500 byte MTU = 6.66 frames per second. So you might add something like "-limit 6 -limit-burst 12" to your iptables rule to ensure you never go over 10K bytes per second. If you make the rule too general (all protocols, all ports), protocols that use smaller frames (eg. IM) will get severely restricted though. YMMV.

Good Luck!

i am stranger to iptables
i want to drop tcp packets coming to 27015 by the -limit 6 -limit-burst 12, can you write the full code :(

thanks =)

it's kind of urgent, can anyone help?

Quote:

Originally Posted by mrtcn

i am stranger to iptables
i want to drop tcp packets coming to 27015 by the -limit 6 -limit-burst 12, can you write the full code

This would go like this:

Code:

iptables -I INPUT -p TCP -i eth0 --dport 27015 \

-m limit --limit 6/second --limit-burst 12 -j DROP

Of course, replace eth0 with whatever your interface is actually called. Also, I'm not entirely sure this will do what you want. Shouldn't you be doing the inverse of this? That is, setting an ACCEPT rule like this, and letting the other packets hit the DROP policy (or DROP rule below the ACCEPT).

this code drops all the tcp connection on 27015 :(

Quote:

Originally Posted by mrtcn

this code drops all the tcp connection on 27015 :(

I suspect you need to do the inverse then, as mentioned above. Like:

Code:

iptables -A INPUT -p TCP -i eth0 --dport 27015 \

-m limit --limit 6/second --limit-burst 12 -j ACCEPT



iptables -A INPUT -p TCP -i eth0 --dport 27015 -j DROP

Make sure you have the DROP rule after the ACCEPT one, and make sure both rules are before any rule that could send the 27015 packets to ACCEPT.

BTW, I should mention that after reading the OP I think the connbytes match module might be better suited for this than the limit module. It's just a thought.

Code:

  connbytes

      Match  by  how  many  bytes  or packets a connection (or one of the two

      flows constituting the connection) have tranferred so far, or by  aver‐

      age bytes per packet.



      The counters are 64bit and are thus not expected to overflow ;)



      The  primary  use is to detect long-lived downloads and mark them to be

      scheduled using a lower priority band in traffic control.



      The  transfered  bytes  per  connection  can  also  be  viewed  through

      /proc/net/ip_conntrack and accessed via ctnetlink



      [!] --connbytes from:[to]

              match  packets  from  a  connection  whose packets/bytes/average

              packet size is more than FROM and less than TO bytes/packets. if

              TO  is  omitted  only  FROM  check is done. "!" is used to match

              packets not falling in the range.



      --connbytes-dir [original|reply|both]

              which packets to consider



      --connbytes-mode [packets|bytes|avgpkt]

              whether to check the amount of packets, number of  bytes  trans‐

              ferred or the average size (in bytes) of all packets received so

              far. Note that when "both" is used together with  "avgpkt",  and

              data is going (mainly) only in one direction (for example HTTP),

              the average packet size will be about half of  the  actual  data

              packets.



      Example:

              iptables  ..  -m connbytes --connbytes 10000:100000 --connbytes-

              dir both --connbytes-mode bytes ...

yeah i was going to say this, the limit wasn't the rule that i'm looking for but i think connbytes is the thing i am looking for, i'm going to search this, thanks for your help =) you're the best

i've searched but i couldn't find.. any help :(

i am also using configserver firewall, i really must do this..

Quote:

Originally Posted by mrtcn

i've searched but i couldn't find.. any help :(

i am also using configserver firewall, i really must do this..

What do you mean? Where are you stuck?

when i have no rules for port 27015 tcp on iptables, it does not allow to access, i think this is normal. but when i try to use connbytes, it does not help at all it does nothing :(

Can you post the exact rule you are using? Also, post the output of:

Code:

iptables -nvL

Code:

[root@denge ~]# iptables -nvL | grep 27015

    6  288 ACCEPT    tcp  --  !lo    *      0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:27015

  218  8928 ACCEPT    udp  --  !lo    *      0.0.0.0/0            0.0.0.0/0          state NEW udp dpt:27015

    0    0 ACCEPT    tcp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          tcp dpt:27015 limit: avg 6/sec burst 12

    0    0 DROP      tcp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          tcp dpt:27015

    0    0 ACCEPT    tcp  --  *      !lo    0.0.0.0/0            0.0.0.0/0          state NEW tcp dpt:27015

    0    0 ACCEPT    udp  --  *      !lo    0.0.0.0/0            0.0.0.0/0          state NEW udp dpt:27015

Code:

iptables -A INPUT -p TCP -i eth0 --dport 27015 \

-m limit --limit 6/second --limit-burst 12 -j ACCEPT



iptables -A INPUT -p TCP -i eth0 --dport 27015 -j DROP