Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
07-07-2007, 05:43 PM
|
#1
|
LQ Newbie
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20
Rep:
|
Maximum packet size
Hi. I want to limit maximum packet size transferred per second to 10kb or limit any packet size to 10kb max. can i do this with iptables?
thanks =)
|
|
|
07-08-2007, 11:06 AM
|
#2
|
Member
Registered: Mar 2007
Location: New Jersey, USA
Distribution: Archlinux
Posts: 165
Rep:
|
aren't packet sizes over TCP/IP max 1500 bytes?
|
|
|
07-08-2007, 12:38 PM
|
#3
|
LQ Newbie
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20
Original Poster
Rep:
|
ooops i didn't knew that... then i want to limit the upload to 10kb/s per second per ip =(
|
|
|
07-08-2007, 01:22 PM
|
#4
|
Member
Registered: May 2005
Location: USA
Distribution: Ubuntu, CentOS
Posts: 37
Rep:
|
use -limit
Yes, that's what the -limit option is all about. But it's limiting frames per second, not bytes per second.
10K bytes / 1500 byte MTU = 6.66 frames per second. So you might add something like "-limit 6 -limit-burst 12" to your iptables rule to ensure you never go over 10K bytes per second. If you make the rule too general (all protocols, all ports), protocols that use smaller frames (eg. IM) will get severely restricted though. YMMV.
Good Luck!
Last edited by whistl; 07-08-2007 at 01:24 PM.
|
|
|
07-08-2007, 02:39 PM
|
#5
|
LQ Newbie
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20
Original Poster
Rep:
|
i am stranger to iptables
i want to drop tcp packets coming to 27015 by the -limit 6 -limit-burst 12, can you write the full code
thanks =)
|
|
|
07-09-2007, 03:32 PM
|
#6
|
LQ Newbie
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20
Original Poster
Rep:
|
it's kind of urgent, can anyone help?
|
|
|
07-09-2007, 03:50 PM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by mrtcn
i am stranger to iptables
i want to drop tcp packets coming to 27015 by the -limit 6 -limit-burst 12, can you write the full code
|
This would go like this:
Code:
iptables -I INPUT -p TCP -i eth0 --dport 27015 \
-m limit --limit 6/second --limit-burst 12 -j DROP
Of course, replace eth0 with whatever your interface is actually called. Also, I'm not entirely sure this will do what you want. Shouldn't you be doing the inverse of this? That is, setting an ACCEPT rule like this, and letting the other packets hit the DROP policy (or DROP rule below the ACCEPT).
Last edited by win32sux; 07-09-2007 at 03:56 PM.
|
|
|
07-09-2007, 03:59 PM
|
#8
|
LQ Newbie
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20
Original Poster
Rep:
|
this code drops all the tcp connection on 27015
|
|
|
07-09-2007, 04:11 PM
|
#9
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by mrtcn
this code drops all the tcp connection on 27015
|
I suspect you need to do the inverse then, as mentioned above. Like:
Code:
iptables -A INPUT -p TCP -i eth0 --dport 27015 \
-m limit --limit 6/second --limit-burst 12 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 --dport 27015 -j DROP
Make sure you have the DROP rule after the ACCEPT one, and make sure both rules are before any rule that could send the 27015 packets to ACCEPT.
Last edited by win32sux; 07-09-2007 at 04:17 PM.
|
|
|
07-09-2007, 04:36 PM
|
#10
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
BTW, I should mention that after reading the OP I think the connbytes match module might be better suited for this than the limit module. It's just a thought.
Code:
connbytes
Match by how many bytes or packets a connection (or one of the two
flows constituting the connection) have tranferred so far, or by aver‐
age bytes per packet.
The counters are 64bit and are thus not expected to overflow ;)
The primary use is to detect long-lived downloads and mark them to be
scheduled using a lower priority band in traffic control.
The transfered bytes per connection can also be viewed through
/proc/net/ip_conntrack and accessed via ctnetlink
[!] --connbytes from:[to]
match packets from a connection whose packets/bytes/average
packet size is more than FROM and less than TO bytes/packets. if
TO is omitted only FROM check is done. "!" is used to match
packets not falling in the range.
--connbytes-dir [original|reply|both]
which packets to consider
--connbytes-mode [packets|bytes|avgpkt]
whether to check the amount of packets, number of bytes trans‐
ferred or the average size (in bytes) of all packets received so
far. Note that when "both" is used together with "avgpkt", and
data is going (mainly) only in one direction (for example HTTP),
the average packet size will be about half of the actual data
packets.
Example:
iptables .. -m connbytes --connbytes 10000:100000 --connbytes-
dir both --connbytes-mode bytes ...
|
|
|
07-09-2007, 05:22 PM
|
#11
|
LQ Newbie
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20
Original Poster
Rep:
|
yeah i was going to say this, the limit wasn't the rule that i'm looking for but i think connbytes is the thing i am looking for, i'm going to search this, thanks for your help =) you're the best
|
|
|
07-10-2007, 03:45 AM
|
#12
|
LQ Newbie
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20
Original Poster
Rep:
|
i've searched but i couldn't find.. any help
i am also using configserver firewall, i really must do this..
|
|
|
07-10-2007, 11:33 AM
|
#13
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by mrtcn
i've searched but i couldn't find.. any help
i am also using configserver firewall, i really must do this..
|
What do you mean? Where are you stuck?
|
|
|
07-11-2007, 01:53 AM
|
#14
|
LQ Newbie
Registered: Jan 2007
Location: London
Distribution: CentOS
Posts: 20
Original Poster
Rep:
|
when i have no rules for port 27015 tcp on iptables, it does not allow to access, i think this is normal. but when i try to use connbytes, it does not help at all it does nothing
|
|
|
07-11-2007, 02:38 PM
|
#15
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Can you post the exact rule you are using? Also, post the output of:
|
|
|
All times are GMT -5. The time now is 06:14 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|