* per source bandwidth limit with hashlimit
@ 2017-03-07 12:47 Fatih USTA
2017-03-07 19:43 ` Robert White
2017-03-09 5:21 ` Fatih USTA
0 siblings, 2 replies; 3+ messages in thread
From: Fatih USTA @ 2017-03-07 12:47 UTC (permalink / raw)
To: netfilter
Hi
I tried to use hashlimit to limit the bandwidth, for each ip address on
the 192.168.59.0/24 network. But did not work specified network address
or protocol.
[~]# uname -r
4.4.0-64-generic
[~]# iptables -V
iptables v1.6.0
[~]# lsmod | grep -i hashlimit
xt_hashlimit 20480 2
x_tables 36864 6
ip_tables,xt_tcpudp,xt_nat,xt_hashlimit,iptable_filter,iptable_mangle
This command working. With tcp protocol
iptables -t mangle -I PREROUTING -m tcp -p tcp -m hashlimit
--hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip
--hashlimit-name persource -j DROP
iptables -t mangle -A PREROUTING -j RETURN
This commands not working.
without tcp protocol
iptables -t mangle -I PREROUTING -m hashlimit --hashlimit-above 50kb/sec
--hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name persource
-j DROP
iptables -t mangle -A PREROUTING -j RETURN
or with udp protocol
iptables -t mangle -I PREROUTING -m udp -p udp -m hashlimit
--hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip
--hashlimit-name persource -j DROP
iptables -t mangle -A PREROUTING -j RETURN
or not working with source network
iptables -t mangle -I PREROUTING -s 192.168.59.0/24 -p tcp -m tcp -m
hashlimit --hashlimit-above 50kb/sec --hashlimit-burst 50kb
--hashlimit-mode srcip --hashlimit-name persource -j DROP
iptables -t mangle -A PREROUTING -j RETURN
and with hashlimit-srcmask
iptables -t mangle -I PREROUTING -s 192.168.59.0/24 -p tcp -m tcp -m
hashlimit --hashlimit-srcmask 32 --hashlimit-above 50kb/sec
--hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name persource
-j DROP
iptables -t mangle -A PREROUTING -j RETURN
Do you have any idea this case?
Thanks.
--
Fatih USTA
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: per source bandwidth limit with hashlimit
2017-03-07 12:47 per source bandwidth limit with hashlimit Fatih USTA
@ 2017-03-07 19:43 ` Robert White
2017-03-09 5:21 ` Fatih USTA
1 sibling, 0 replies; 3+ messages in thread
From: Robert White @ 2017-03-07 19:43 UTC (permalink / raw)
To: Fatih USTA, netfilter
On 03/07/17 12:47, Fatih USTA wrote:
> Hi
>
> I tried to use hashlimit to limit the bandwidth, for each ip address on
> the 192.168.59.0/24 network. But did not work specified network address
> or protocol.
> iptables -t mangle -I PREROUTING -m tcp -p tcp -m hashlimit
> --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip
> --hashlimit-name persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
You are using hashlimit backwards. The jump target is executed when the
limit is still good, it fails once the limit has been exceeded. So your
rule is dropping the packets/connections until the 50kb a second
threshold is exceeded then it's letting them through.
What you want is
iptables (blah blah) hashlimit (blah blah) -j RETURN
iptables (blah blah) -j DROP
Now when you are within the limits the data gets through, and when you
exceed the limits the rule evaluation falls through to the drop.
Note that I usually put this in a separate chain that I invoke from the
real chain so that I can still apply other logic before/after the throttle.
so...
iptables -N throttle
iptables -A throttle -m hashlimit (blah blah) -j RETURN
ipbables -A throttle -j DROP
iptables -A (wherever) (conditional blah) -j throttle
As far as (wherever), I don't like to interfere with existing
connections since that leads to more load, not less. So I'd put the
throttle in FORWARDING or INPUT with the (conditional blah) being for
ctstate NEW and after the established,related rule.
This secondary chain means that you can use the same throttle for
several different protocols or conditions without it getting really
complex to invoke.
Of course your where-and-when will vary depending on your task and
goals. But in truth, if you are the service then your service
application is going to be the source of most of the data so you
probably ought to throttle in the server not the firewall rules instead
of dropping your own data or throwing away packets that you've already
paid bandwidth/time to receive and which the sending end is probably
just going to send again because of the "loss".
That is bulk limits on existing connections tends to drive received
volume _up_ as re-transmits occur.
So be careful not to shoot yourself in the foot.
So anyway... the --match hashlimit should be followed by the success
--jump and the later rules are then the failure path.
Hope this helps,
--Rob.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: per source bandwidth limit with hashlimit
2017-03-07 12:47 per source bandwidth limit with hashlimit Fatih USTA
2017-03-07 19:43 ` Robert White
@ 2017-03-09 5:21 ` Fatih USTA
1 sibling, 0 replies; 3+ messages in thread
From: Fatih USTA @ 2017-03-09 5:21 UTC (permalink / raw)
To: netfilter
I Found my mistake.
I thought it was connection-based. I was wrong
The hashlimit is working towards the package direction.
I fixed this problem (-d 192.168.59.0/24 and --haslimit-mode dstip)
Thanks.
Fatih USTA
On 07-03-2017 15:47, Fatih USTA wrote:
> Hi
>
> I tried to use hashlimit to limit the bandwidth, for each ip address
> on the 192.168.59.0/24 network. But did not work specified network
> address or protocol.
>
> [~]# uname -r
> 4.4.0-64-generic
>
> [~]# iptables -V
> iptables v1.6.0
>
> [~]# lsmod | grep -i hashlimit
> xt_hashlimit 20480 2
> x_tables 36864 6
> ip_tables,xt_tcpudp,xt_nat,xt_hashlimit,iptable_filter,iptable_mangle
>
>
>
> This command working. With tcp protocol
>
> iptables -t mangle -I PREROUTING -m tcp -p tcp -m hashlimit
> --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode
> srcip --hashlimit-name persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
>
>
> This commands not working.
>
> without tcp protocol
>
> iptables -t mangle -I PREROUTING -m hashlimit --hashlimit-above
> 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip
> --hashlimit-name persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
>
> or with udp protocol
>
> iptables -t mangle -I PREROUTING -m udp -p udp -m hashlimit
> --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode
> srcip --hashlimit-name persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
>
> or not working with source network
>
> iptables -t mangle -I PREROUTING -s 192.168.59.0/24 -p tcp -m tcp -m
> hashlimit --hashlimit-above 50kb/sec --hashlimit-burst 50kb
> --hashlimit-mode srcip --hashlimit-name persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
>
> and with hashlimit-srcmask
>
> iptables -t mangle -I PREROUTING -s 192.168.59.0/24 -p tcp -m tcp -m
> hashlimit --hashlimit-srcmask 32 --hashlimit-above 50kb/sec
> --hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name
> persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
>
>
> Do you have any idea this case?
>
> Thanks.
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-03-09 5:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-07 12:47 per source bandwidth limit with hashlimit Fatih USTA
2017-03-07 19:43 ` Robert White
2017-03-09 5:21 ` Fatih USTA
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.