set packet rate limit via iptables
The solution you found was correct:
iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT
But it is assuming a default policy of DROP or REJECT which is not usual for OUTPUT. You need to add:
iptables -A OUTPUT -j REJECT
Be sure to add this rule after the ACCEPT one. Either execute them in this order, or use -I
instead of -A
for the ACCEPT.
Also, depending on the application this might kill the connection. In that case try with DROP instead of REJECT or try with a different --reject-with
(default is icmp-port-unreachable).
I just tested with telnet against a DVR server and it didn't kill the connection. Of course, since a new connection is an output packet, trying to reconnect right after hitting the limit will fail right away if you use REJECT.
I gather from the comments that your ISP also expects you to limit your INPUT packets... you cannot do this. By the time you are able to stop them they've already reached your NIC, which means the were already accounted for by your ISP. The INPUT packet count will also increase considerably when you limit your OUTPUT because most of the ACK won't make it out, causing lots of retransmissions.
10 packets per second is insane.
Related videos on Youtube
Andy
Updated on September 18, 2022Comments
-
Andy over 1 year
I have a packet rate limit (max. 10 per seconds) which is set by my internet provider. This is a problem if I want to use the AceStream player, because if I exceed the limit I get disconnected.
How can I restrict the internet access of this program?
I tried the suggested command:
iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT
but I get a fatal error message:
FATAL: Error inserting ip_tables (/lib/modules/3.2.0-67-generic/kernel/net/ipv4/netfilter/ip_tables.ko): Operation not permitted iptables v1.4.12: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
With administor rights:
sudo iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT
there is no errror message anymore. But it is still not working, I get disconnected.
Is there an error in the command line? Or do I have to use other arguments of iptables?
Below is the actual message that I get, when I exceed the limits of the provider.
Up to now, I tried different approaches, but none of them didn't work.
sudo iptables -A INPUT -p tcp --syn --dport 8621 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with tcp-reset sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 9/second --limit-burst 10 -j ACCEPT sudo iptables -A INPUT -p tcp --destination-port 8621 --syn -m state --state NEW -m limit --limit 9/s --limit-burst 10 -j ACCEPT
This approach seems not to help in order to still use the application. So, I posted another question: set connection limit via iptables .
-
Bratchley over 9 yearsI don't have enough experience with
tc
to know how to do it with that (although I know it is possible) but there is a means of doing that with cgroups -
Barmar over 9 yearsDo you mean
packet
limit? -
Andy over 9 yearssry, I don't know the difference
-
Andy over 9 years@JoelDavis the suggested solution with cgroup does not work, I get error: "only root can do that" for the first line
-
Celada over 9 years@Andy I'm pretty sure that whatever the solution is, whether it's
tc
or cgroups or something else, it will require root access. Do you require a solution that doesn't need root? -
frostschutz over 9 yearsSomething like
iptables -A OUTPUT -m limit --limit 100/s -j ACCEPT
, given a default DROP policy? Not sure abouttc
, most qdiscs do bandwidth rather than absolute packet counts. Then again, this would drop rather than delay... -
PersianGulf over 9 yearsI think you don't need
tc
, limit match is enough. -
Andy over 9 years@frostschutz I tried your command, but somehow I still exceed the limits. I assume you understand German, maybe I misunderstood the rules of my internet provider (link chapter "Verhinderung von Portscans, Denial of Service ,..")
-
frostschutz over 9 years@Andy: the rules described there are considerably more complex than what you put in your question. (In particular limit 10 instead of 100 in most cases). I see you've edited your question since, but all other issues aside, does this thing even have any chance to work with only 10 packets per second? Also, limiting INPUT is considerably harder than OUTPUT. Control over what others send you is very indirect only...
-
Andy over 9 yearsthus I have to limit the INPUT and OUTPUT packet rate to 10/s ? .. but it should work with iptables? How can I see how much the packet rate of the application actually is? I guess the application should still work after this limitation, because the order of exceeded packets is the same as the order of the limit.
-
Bratchley over 9 years@Andy Looks like you found another solution but if you're getting an error saying you need root then you should go to the root account. You're going to need root access to do it with
iptables
ortc
as well (which you're doing viasudo
). The solution works and cgroups are useful for all sorts of resource limitations. But do whatever approach makes the most sense.
-
-
GnP over 9 yearsI must be missing something, because I don't see how this answers the question...
-
Andy over 9 yearsbtw I tried this yesterday and it didn't work
-
Andy over 9 yearsthanks! I have to test this, will have the possibility in a few days. Do you know a command line (like ss -t -a) to have surveillance over an application? .. in order to see how many OUTPUT and INPUT packets there are
-
GnP over 9 years
-
PersianGulf over 9 years@gnp because poster mentioned me for example , above answer is example...
-
Andy over 9 yearswell, it works.. every connection is limited by 10 packets/s
-
Andy over 9 yearsunfortunately, the application is worthless then... looking at the IP traffic, I have to make another approach: I need to limit the connections per second... is this also possible with iptables?
-
GnP over 9 yearsCertainly, add an ACCEPT rule to match ESTABLISHED and RELATED connections right before the REJECT or DROP policy. You need conntrack for this, so I would suggest you open a new question (and link it at the end of this one)
-
Andy over 9 yearsok, I edited the question.. I'm afraid I have no idea how to match ESTABLISHED and RELATED connections, could you help me there as well?