Results 1 to 12 of 12
  1. #1
    Join Date
    Oct 2002
    Posts
    702

    iptables question

    Is it possible to rate limit requests per source IP to a per second amount or millisecond amount?

    For example:

    255.255.255.255 requests index.php 10 times in a row half a second apart. Is it possible to use iptables to rate limit the traffic to only let 1 request per second get through?

    Thanks.
    ServerMatingProject.com
    The World's first server mating experiment
    We give new meaning to I/O intensive and hot swap

  2. #2
    Join Date
    Dec 2001
    Location
    NYC, NY
    Posts
    798
    iptables -A INPUT p TCP --syn -m limit --limit 5/second -j ACCEPT


    so that'll let 5 tcp requests in per second.

  3. #3
    I've never actually tried this, but here's the rule I would think would do it.

    iptables -A INPUT -m limit --limit 60/minute -s 255.255.255.255 -j ACCEPT

    Now there are potential problems with this. Primarily being that if I am remembering right, the page is not downloaded all in one connection. It makes separate connections for each image on the page, etc, so this could keep that person from getting images or whatnot.

    I would do some looking into apache modules, I am guessing they probably have one that will do what you need with less adverse side effects, if any.
    http://www.bash-shell.net - webhosting geared towards personal websites and small businesses.
    http://domains.bash-shell.net

  4. #4
    Join Date
    Oct 2002
    Posts
    702
    Would those rules catch if lets say 10 requests sent 100 milliseconds apart and only allow 1 of those in per second?

    Thanks.
    ServerMatingProject.com
    The World's first server mating experiment
    We give new meaning to I/O intensive and hot swap

  5. #5
    yes. well, with the 5/second it should let 5 of those in, with the 60/minute (which could also be written as 1/second) it should only let 1 in.
    http://www.bash-shell.net - webhosting geared towards personal websites and small businesses.
    http://domains.bash-shell.net

  6. #6
    Join Date
    Oct 2002
    Posts
    702
    iptables -A INPUT -m limit --limit 60/minute -s 255.255.255.255 -j ACCEPT

    Does that rate limit all requests for all IPs on the entire server or does that limit it for each source IP to 1 per second?

    Thanks.
    ServerMatingProject.com
    The World's first server mating experiment
    We give new meaning to I/O intensive and hot swap

  7. #7
    Join Date
    Mar 2001
    Location
    California
    Posts
    332
    Originally posted by TheVoice
    iptables -A INPUT -m limit --limit 60/minute -s 255.255.255.255 -j ACCEPT

    Does that rate limit all requests for all IPs on the entire server or does that limit it for each source IP to 1 per second?

    Thanks.
    No, that will NOT limit per unique source IP. You will have to grab the latest iptables and patch it with patch-o-matic-ng to get the connlimit feature.

    From the help file:
    Code:
    This adds an iptables match which allows you to restrict the
    number of parallel TCP connections to a server per client IP address
    (or address block).
    
    Examples:
    
    # allow 2 telnet connections per client host
    iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
    
    # you can also match the other way around:
    iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
    
    # limit the nr of parallel http requests to 16 per class C sized
    # network (24 bit netmask)
    iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
            --connlimit-mask 24 -j REJECT
    Note, this doesn't limit per second connections, but total number of connections.
    Last edited by RutRow; 05-27-2004 at 09:30 AM.

  8. #8
    Join Date
    Oct 2002
    Posts
    702
    Is there a way to do per source IP limiting using connlimit?

    Thanks.
    ServerMatingProject.com
    The World's first server mating experiment
    We give new meaning to I/O intensive and hot swap

  9. #9
    I would honestly do some looking into apache modules to see if one has been written to do such a thing. I know it would be doable as that is sort of a variation on part of the functionality of mod_dosevasive.
    http://www.bash-shell.net - webhosting geared towards personal websites and small businesses.
    http://domains.bash-shell.net

  10. #10
    Join Date
    Oct 2002
    Posts
    702
    I would do that but we don't use apache.
    ServerMatingProject.com
    The World's first server mating experiment
    We give new meaning to I/O intensive and hot swap

  11. #11
    ah ok, yeah, that does present a problem. I assume you've already looked for something like that for whatever httpd you do use then?
    http://www.bash-shell.net - webhosting geared towards personal websites and small businesses.
    http://domains.bash-shell.net

  12. #12
    Join Date
    Oct 2002
    Posts
    702
    Yes. It will need to be done at the firewall level it seems. Which looks like its possible.
    ServerMatingProject.com
    The World's first server mating experiment
    We give new meaning to I/O intensive and hot swap

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •