All of lore.kernel.org
 help / color / mirror / Atom feed
* per source bandwidth limit with hashlimit
@ 2017-03-07 12:47 Fatih USTA
  2017-03-07 19:43 ` Robert White
  2017-03-09  5:21 ` Fatih USTA
  0 siblings, 2 replies; 3+ messages in thread
From: Fatih USTA @ 2017-03-07 12:47 UTC (permalink / raw)
  To: netfilter

Hi

I tried to use hashlimit to limit the bandwidth, for each ip address on 
the 192.168.59.0/24 network. But did not work specified network address 
or protocol.

[~]# uname -r
4.4.0-64-generic

[~]# iptables -V
iptables v1.6.0

[~]# lsmod | grep -i hashlimit
xt_hashlimit           20480  2
x_tables               36864  6 
ip_tables,xt_tcpudp,xt_nat,xt_hashlimit,iptable_filter,iptable_mangle



This command working. With tcp protocol

iptables -t mangle -I PREROUTING -m tcp -p tcp -m hashlimit 
--hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip 
--hashlimit-name persource -j DROP
iptables -t mangle -A PREROUTING -j RETURN


This commands not working.

without tcp protocol

iptables -t mangle -I PREROUTING -m hashlimit --hashlimit-above 50kb/sec 
--hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name persource 
-j DROP
iptables -t mangle -A PREROUTING -j RETURN

or with udp protocol

iptables -t mangle -I PREROUTING -m udp -p udp  -m hashlimit 
--hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip 
--hashlimit-name persource -j DROP
iptables -t mangle -A PREROUTING -j RETURN

or not working with source network

iptables -t mangle -I PREROUTING -s 192.168.59.0/24 -p tcp -m tcp -m 
hashlimit --hashlimit-above 50kb/sec --hashlimit-burst 50kb 
--hashlimit-mode srcip --hashlimit-name persource -j DROP
iptables -t mangle -A PREROUTING -j RETURN

and with hashlimit-srcmask

iptables -t mangle -I PREROUTING -s 192.168.59.0/24 -p tcp -m tcp -m 
hashlimit --hashlimit-srcmask 32 --hashlimit-above 50kb/sec 
--hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name persource 
-j DROP
iptables -t mangle -A PREROUTING -j RETURN


Do you have any idea this case?

Thanks.


-- 
Fatih USTA


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: per source bandwidth limit with hashlimit
  2017-03-07 12:47 per source bandwidth limit with hashlimit Fatih USTA
@ 2017-03-07 19:43 ` Robert White
  2017-03-09  5:21 ` Fatih USTA
  1 sibling, 0 replies; 3+ messages in thread
From: Robert White @ 2017-03-07 19:43 UTC (permalink / raw)
  To: Fatih USTA, netfilter

On 03/07/17 12:47, Fatih USTA wrote:
> Hi
>
> I tried to use hashlimit to limit the bandwidth, for each ip address on
> the 192.168.59.0/24 network. But did not work specified network address
> or protocol.
> iptables -t mangle -I PREROUTING -m tcp -p tcp -m hashlimit
> --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip
> --hashlimit-name persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN

You are using hashlimit backwards. The jump target is executed when the 
limit is still good, it fails once the limit has been exceeded. So your 
rule is dropping the packets/connections until the 50kb a second 
threshold is exceeded then it's letting them through.

What you want is

iptables (blah blah) hashlimit (blah blah) -j RETURN
iptables (blah blah) -j DROP

Now when you are within the limits the data gets through, and when you 
exceed the limits the rule evaluation falls through to the drop.

Note that I usually put this in a separate chain that I invoke from the 
real chain so that I can still apply other logic before/after the throttle.

so...

iptables -N throttle
iptables -A throttle -m hashlimit (blah blah) -j RETURN
ipbables -A throttle -j DROP
iptables -A (wherever) (conditional blah) -j throttle

As far as (wherever), I don't like to interfere with existing 
connections since that leads to more load, not less. So I'd put the 
throttle in FORWARDING or INPUT with the (conditional blah) being for 
ctstate NEW and after the established,related rule.

This secondary chain means that you can use the same throttle for 
several different protocols or conditions without it getting really 
complex to invoke.

Of course your where-and-when will vary depending on your task and 
goals. But in truth, if you are the service then your service 
application is going to be the source of most of the data so you 
probably ought to throttle in the server not the firewall rules instead 
of dropping your own data or throwing away packets that you've already 
paid bandwidth/time to receive and which the sending end is probably 
just going to send again because of the "loss".

That is bulk limits on existing connections tends to drive received 
volume _up_ as re-transmits occur.

So be careful not to shoot yourself in the foot.

So anyway... the --match hashlimit should be followed by the success 
--jump and the later rules are then the failure path.



Hope this helps,
--Rob.


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: per source bandwidth limit with hashlimit
  2017-03-07 12:47 per source bandwidth limit with hashlimit Fatih USTA
  2017-03-07 19:43 ` Robert White
@ 2017-03-09  5:21 ` Fatih USTA
  1 sibling, 0 replies; 3+ messages in thread
From: Fatih USTA @ 2017-03-09  5:21 UTC (permalink / raw)
  To: netfilter

I Found my mistake.

I thought it was connection-based. I was wrong
The hashlimit is working towards the package direction.
I fixed this problem (-d 192.168.59.0/24 and --haslimit-mode dstip)

Thanks.

Fatih USTA

On 07-03-2017 15:47, Fatih USTA wrote:
> Hi
>
> I tried to use hashlimit to limit the bandwidth, for each ip address 
> on the 192.168.59.0/24 network. But did not work specified network 
> address or protocol.
>
> [~]# uname -r
> 4.4.0-64-generic
>
> [~]# iptables -V
> iptables v1.6.0
>
> [~]# lsmod | grep -i hashlimit
> xt_hashlimit           20480  2
> x_tables               36864  6 
> ip_tables,xt_tcpudp,xt_nat,xt_hashlimit,iptable_filter,iptable_mangle
>
>
>
> This command working. With tcp protocol
>
> iptables -t mangle -I PREROUTING -m tcp -p tcp -m hashlimit 
> --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode 
> srcip --hashlimit-name persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
>
>
> This commands not working.
>
> without tcp protocol
>
> iptables -t mangle -I PREROUTING -m hashlimit --hashlimit-above 
> 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip 
> --hashlimit-name persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
>
> or with udp protocol
>
> iptables -t mangle -I PREROUTING -m udp -p udp  -m hashlimit 
> --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode 
> srcip --hashlimit-name persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
>
> or not working with source network
>
> iptables -t mangle -I PREROUTING -s 192.168.59.0/24 -p tcp -m tcp -m 
> hashlimit --hashlimit-above 50kb/sec --hashlimit-burst 50kb 
> --hashlimit-mode srcip --hashlimit-name persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
>
> and with hashlimit-srcmask
>
> iptables -t mangle -I PREROUTING -s 192.168.59.0/24 -p tcp -m tcp -m 
> hashlimit --hashlimit-srcmask 32 --hashlimit-above 50kb/sec 
> --hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name 
> persource -j DROP
> iptables -t mangle -A PREROUTING -j RETURN
>
>
> Do you have any idea this case?
>
> Thanks.
>
>


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-03-09  5:21 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-07 12:47 per source bandwidth limit with hashlimit Fatih USTA
2017-03-07 19:43 ` Robert White
2017-03-09  5:21 ` Fatih USTA

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.