Security :: Limit Incoming HTTP Bandwidth Usage With IPtables
Apr 5, 2011
Can I, with only the use of IPTABLES, limit the incoming bandwith for a protocol? We have for example servers that have a FTP and HTTP server running and whenever HTTP has a lot of connections open, the other uploads/downloads get a timeout. I know I can limit the number of connections but prefer to limit on protocol level. Is this possible using IPTABLES and if so, can someone indicate how to proceed or provide a link? If it's not possible can someone point me to the right tool for the job?
I recently read a windows tip which read: - Windows allots 20% of the bandwidth by default for various services like Windows update, spyware checks etc. We can get hold of this bandwith by changing the values of limit reserve bandwidth under QOS packet scheduler. Now my questions: How to limit the bandwidth usage used by ubuntu updates in the above lines?
I'm trying to limit the number of the ICMP packets reaching my server, so I'm using the limit module of iptables, unfortunately it seems the limit I set is totally ignored as I can easily send tens of ICMP packets and get a reply in less than 0.3 second Quote:
m3xican@m3xtop:~$ sudo ping -i0 -c20 x.x.x.x 20 packets transmitted, 20 received, 0% packet loss, time 230ms rtt min/avg/max/mdev = 184.969/185.895/189.732/1.301 ms, pipe 16, ipg/ewma 12.138/186.232 ms This is the rule I'm using to accept ICMP packets (default setting is DROP)
Code: iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT And these are the kernel modules related to iptables Code: Module Size Used by xt_limit 1382 0
I have a server that I can only access via SSH (it's located far away) and I would like to secure it by blocking all ports except the ones that I need (which are HTTP and SSH). I still want to be able to make outgoing connections to enable software updates and other things.This is my iptables -L -n :
Code: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:21 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:79 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:65535 code....
In my opinion, this should block all incoming packets except the ones on port 80 and 22, but allow responses to outgoing connections. But a wget http://google.com does not work, it can't establish the connection.
Maybe this is not the best style for iptables rules, but I want to be absolutely sure to not accidently lock myself out from SSH, so I chose not to configure a "block-everything rule".
Does this configuration not enable incoming packets from connections initiated from inside?
I am at a loss how to prevent Denial of Service attacks to port 25 and not block legitimate connections from 2 Barracuda 800(s) and block smart phones such as iPhones/Blackberrys/iPhones that use the server smtp.server.com for email. Presently for port 25 RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
The 2 Barracuda 800(s) make port 25 connections all the time, plus users with smart_phones have the incoming server type: IMAP pop.server.com smtp.server.com
Is there a way to keep Denial of Service attacks from happening with iptables rules without causing blocking to the Barracuda(s) that make constant port 25 connections & smart phones that poll? I was thinking if I allowed the Barracuda(s) in these lines -s (barracuda)24.xx.xx.xx -d (emailserver)24.00.xx.xx -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
Where the source would be the Barracuda going to the email server. It would be allowed, then I am left with how to allow other connections like Smart_Phones that connect via Port 25. I am thinking if I put rules in place doing connection counts in a minute it would result in errors connecting to the server and people would start complaining. Plus any limiting may result in blocking real traffic. Then would I need to allow the ISP range in the above example to accept port 25, I am still left with how to drop a flood/denial of service attack.
I've got two routers, 10.0.0.0/23 and 192.168.2.0/24, which are joined by a Linux box with interfaces eth0 (10.0.0.2) and ra0 (192.168.2.2). I've got masquerading for ra0, and a route to 192.168.2.0/24 on 10.0.0.0's router. I CAN ping hosts on 192.168.2.0 from 10.0.0.0 just fine, but I CANNOT access web pages.Strangely, If I enable masquerading on eth0, and add a route to 192.168.2.0s router to 10.0.0.0, I can ping AND access web pages from 192.168.2.0Here is my current iptables
I'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL
Note the actual IP we are using is masked here with 126.96.36.199. Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.
I'd like to find some sort of program which can tell me how much incoming data I've had in the last 24 hours. It goes by hours, not by days, but anything that's simple and that can display this will do. Is there any sort of program that does this? Something that would fit well with Ubuntu's style wouldn't hurt, but I'm not that worried about it as long as it does the job.
We have a cisco ASA firewall at work,which redirects all http traffic to our webserver. We have to install a new website ,but it can't be installed to the same server. Setting up a squid reverse proxy can redirect the incoming http requests to the appropriate webserver? If yes, could I get some directions on howto?
I want to use the tc rules for bandwidth control in my lan.i have a linux router(traffic shaper).how i can limit the amount of bandwidth every user has access to per day? For example, any user can't download more than 2 gb per day(or per month).
The information about lan's users(such as a group type,userid,etc.but not any thing about time limiting per user)is in ldap directory on ldap server.the linux server uses ldap server for authentication users when the user login.
I Own a netcafe and I want to limit the netspeed for some of the users on the network because some of them maybe use torrent or other ways to eat the bandwidth and the net became so slow for other users.
My task is a way to limit the net speed for some users on the network, I tried a mikrotik RouterOS but it look like a miss to install I wanted an easier way than this, I use linux or windows or any OS to make this task done please help me to do it !!
I want to put a bandwidth limit on the 8000 port. The limit not have to be global! It must be per connection! For example if i put a 20kB/s limit on the 8000 port and I have 3 clients connected to the port, i want that each have the 20kB/s. How can I do that? I readed something about TC, but i don`t know how to use it... I`m a little noobie Sorry for my bad english
The limit bandwidth options in U1 don't work for me. I will check the checkboxes and change the values. When I come back later, they are back to being unchecked, with the default values filled back in.
I want to limit bandwidth for downloading files with squid. I want to reserve bandwidth for other traffic (esp. web browsing). I know about delay pools but I don't understand well. Some users use download managers to download large movie files. I don't want to block downloading but I want to give them limited bandwidth. May be 5KBps or 6KBps because I have only 512Kbps (64KBps) connection.
In my household a number of people use the internet. Up to a maximum of 3 wired connections and 2 wireless connections at its peak, all connection through my D-LINK G604T router. The problem is, when one person is downloading or watching ..... or whatever, the others using the internet suffer. I've spent hours configuring QoS on my router, and long story short, no matter how I configure it, it just simply does not work. QoS in no way shape or form limits connection speed (which it says it should). Anyway.
I have a spare computer under my desk, and I'd like to know if I could set this up with a (free) linux distro that limits bandwidth speed per connection. For example, of the 1500 kb/ps (about) my modem pulls, is there a way to limit that to 768 or 512 per connection? so person A can still download, person B can still watch ....., and person C can still play counterstrike with a latency under 100. This would solve many, many arguments in my house I am *fairly* good with computers, but if the distro came with documentation and a GUI that would be awesome.
* TL;DR: * Is there a linux distro I can load on a spare computer that limits bandwidth per connection, wireless or otherwise, with good documentation? Failing that is there firmware I can use for my modem (dlink g604t) that would do the same? Failing that do you know of any good hitmen that would solve my family arguments, ahem, permanently?
i configured Squid3 server in my Ubuntu 10.04.Now the ip based and content based blocking is working fine.Now i want to configured bandwidth allocation of ip address and group ip address..pls give the solution
I'm getting DDoS attacks on my server, and I need to block all the attacking IPs.But for that I need to know which IPs are attacking me.I was thinking that I should log the bandwidth usage per IP so I can tell which IPs are using excessive bandwidth.How can I achieve this? I'm using Ubuntu 10.10.
recently i rent a xen vps intended to setup a PPTPD vpn server for me and my friends. so we can by-pass the great firewall in china and get back on ....., facebook and stuff. i have already setup the server and i can connect to it without any problem. but i still want to do some further configuration the server:
1. i want to limit the bandwidth to 400k/s per connection. 2. i also want to limit the max connection per user a/c
i have some thoughts on the 2nd requirement. in the user configuration file of /etc/ppp/chap-secret, you can specify the range of ip the user can get, does it limit the max connection per user a/c? or they can connect anyway, just every now and then a box pop up says conflict in IP address?