LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-07-2007, 06:43 PM   #1
mrtcn
LQ Newbie
 
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20

Rep: Reputation: 0
Maximum packet size


Hi. I want to limit maximum packet size transferred per second to 10kb or limit any packet size to 10kb max. can i do this with iptables?

thanks =)
 
Old 07-08-2007, 12:06 PM   #2
lambchops468
Member
 
Registered: Mar 2007
Location: New Jersey, USA
Distribution: Archlinux
Posts: 165

Rep: Reputation: 30
aren't packet sizes over TCP/IP max 1500 bytes?
 
Old 07-08-2007, 01:38 PM   #3
mrtcn
LQ Newbie
 
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20

Original Poster
Rep: Reputation: 0
ooops i didn't knew that... then i want to limit the upload to 10kb/s per second per ip =(
 
Old 07-08-2007, 02:22 PM   #4
whistl
Member
 
Registered: May 2005
Location: USA
Distribution: Ubuntu, CentOS
Posts: 37

Rep: Reputation: 15
use -limit

Yes, that's what the -limit option is all about. But it's limiting frames per second, not bytes per second.

10K bytes / 1500 byte MTU = 6.66 frames per second. So you might add something like "-limit 6 -limit-burst 12" to your iptables rule to ensure you never go over 10K bytes per second. If you make the rule too general (all protocols, all ports), protocols that use smaller frames (eg. IM) will get severely restricted though. YMMV.

Good Luck!

Last edited by whistl; 07-08-2007 at 02:24 PM.
 
Old 07-08-2007, 03:39 PM   #5
mrtcn
LQ Newbie
 
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20

Original Poster
Rep: Reputation: 0
i am stranger to iptables
i want to drop tcp packets coming to 27015 by the -limit 6 -limit-burst 12, can you write the full code

thanks =)
 
Old 07-09-2007, 04:32 PM   #6
mrtcn
LQ Newbie
 
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20

Original Poster
Rep: Reputation: 0
it's kind of urgent, can anyone help?
 
Old 07-09-2007, 04:50 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by mrtcn
i am stranger to iptables
i want to drop tcp packets coming to 27015 by the -limit 6 -limit-burst 12, can you write the full code
This would go like this:
Code:
iptables -I INPUT -p TCP -i eth0 --dport 27015 \
-m limit --limit 6/second --limit-burst 12 -j DROP
Of course, replace eth0 with whatever your interface is actually called. Also, I'm not entirely sure this will do what you want. Shouldn't you be doing the inverse of this? That is, setting an ACCEPT rule like this, and letting the other packets hit the DROP policy (or DROP rule below the ACCEPT).

Last edited by win32sux; 07-09-2007 at 04:56 PM.
 
Old 07-09-2007, 04:59 PM   #8
mrtcn
LQ Newbie
 
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20

Original Poster
Rep: Reputation: 0
this code drops all the tcp connection on 27015
 
Old 07-09-2007, 05:11 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by mrtcn
this code drops all the tcp connection on 27015
I suspect you need to do the inverse then, as mentioned above. Like:
Code:
iptables -A INPUT -p TCP -i eth0 --dport 27015 \
-m limit --limit 6/second --limit-burst 12 -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 27015 -j DROP
Make sure you have the DROP rule after the ACCEPT one, and make sure both rules are before any rule that could send the 27015 packets to ACCEPT.

Last edited by win32sux; 07-09-2007 at 05:17 PM.
 
Old 07-09-2007, 05:36 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
BTW, I should mention that after reading the OP I think the connbytes match module might be better suited for this than the limit module. It's just a thought.
Code:
   connbytes
       Match  by  how  many  bytes  or packets a connection (or one of the two
       flows constituting the connection) have tranferred so far, or by  aver‐
       age bytes per packet.

       The counters are 64bit and are thus not expected to overflow ;)

       The  primary  use is to detect long-lived downloads and mark them to be
       scheduled using a lower priority band in traffic control.

       The  transfered  bytes  per  connection  can  also  be  viewed  through
       /proc/net/ip_conntrack and accessed via ctnetlink

       [!] --connbytes from:[to]
              match  packets  from  a  connection  whose packets/bytes/average
              packet size is more than FROM and less than TO bytes/packets. if
              TO  is  omitted  only  FROM  check is done. "!" is used to match
              packets not falling in the range.

       --connbytes-dir [original|reply|both]
              which packets to consider

       --connbytes-mode [packets|bytes|avgpkt]
              whether to check the amount of packets, number of  bytes  trans‐
              ferred or the average size (in bytes) of all packets received so
              far. Note that when "both" is used together with  "avgpkt",  and
              data is going (mainly) only in one direction (for example HTTP),
              the average packet size will be about half of  the  actual  data
              packets.

       Example:
              iptables  ..  -m connbytes --connbytes 10000:100000 --connbytes-
              dir both --connbytes-mode bytes ...
 
Old 07-09-2007, 06:22 PM   #11
mrtcn
LQ Newbie
 
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20

Original Poster
Rep: Reputation: 0
yeah i was going to say this, the limit wasn't the rule that i'm looking for but i think connbytes is the thing i am looking for, i'm going to search this, thanks for your help =) you're the best
 
Old 07-10-2007, 04:45 AM   #12
mrtcn
LQ Newbie
 
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20

Original Poster
Rep: Reputation: 0
i've searched but i couldn't find.. any help

i am also using configserver firewall, i really must do this..
 
Old 07-10-2007, 12:33 PM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Quote:
Originally Posted by mrtcn
i've searched but i couldn't find.. any help

i am also using configserver firewall, i really must do this..
What do you mean? Where are you stuck?
 
Old 07-11-2007, 02:53 AM   #14
mrtcn
LQ Newbie
 
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20

Original Poster
Rep: Reputation: 0
when i have no rules for port 27015 tcp on iptables, it does not allow to access, i think this is normal. but when i try to use connbytes, it does not help at all it does nothing
 
Old 07-11-2007, 03:38 PM   #15
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 377Reputation: 377Reputation: 377Reputation: 377
Can you post the exact rule you are using? Also, post the output of:
Code:
iptables -nvL
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Maximum file size Hiran Joseph Programming 7 11-24-2006 08:54 AM
sendmail maximum size messages bi_v Linux - Software 0 03-11-2005 04:59 AM
maximum size for crontab? JakeS Linux - Software 6 01-18-2005 06:23 PM
maximum linux file size? alec77 Linux - Newbie 8 12-03-2004 10:31 AM
Maximum packet size in kernel cranium2004 Linux - Networking 0 12-02-2004 01:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration