6

I have a packet rate limit (max. 10 per seconds) which is set by my internet provider. This is a problem if I want to use the AceStream player, because if I exceed the limit I get disconnected.

How can I restrict the internet access of this program?

I tried the suggested command:

iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT

but I get a fatal error message:

FATAL: Error inserting ip_tables (/lib/modules/3.2.0-67-generic/kernel/net/ipv4/netfilter/ip_tables.ko): Operation not permitted
iptables v1.4.12: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

With administor rights:

sudo iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT

there is no errror message anymore. But it is still not working, I get disconnected.

Is there an error in the command line? Or do I have to use other arguments of iptables?

Below is the actual message that I get, when I exceed the limits of the provider.enter image description here

Up to now, I tried different approaches, but none of them didn't work.

sudo iptables -A INPUT -p tcp --syn --dport 8621 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with tcp-reset

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 9/second --limit-burst 10 -j ACCEPT

sudo iptables -A INPUT -p tcp --destination-port 8621 --syn -m state --state NEW -m limit --limit 9/s --limit-burst 10 -j ACCEPT

This approach seems not to help in order to still use the application. So, I posted another question: set connection limit via iptables .

Community
  • 1
Andy
  • 85
  • 1
  • 2
  • 9
  • 1
    I don't have enough experience with tc to know how to do it with that (although I know it is possible) but there is a means of doing that with cgroups – Bratchley Oct 22 '14 at 18:30
  • Do you mean packet limit? – Barmar Oct 22 '14 at 18:47
  • sry, I don't know the difference – Andy Oct 22 '14 at 20:24
  • @JoelDavis the suggested solution with cgroup does not work, I get error: "only root can do that" for the first line – Andy Oct 22 '14 at 20:47
  • @Andy I'm pretty sure that whatever the solution is, whether it's tc or cgroups or something else, it will require root access. Do you require a solution that doesn't need root? – Celada Oct 23 '14 at 01:30
  • 2
    Something like iptables -A OUTPUT -m limit --limit 100/s -j ACCEPT, given a default DROP policy? Not sure about tc, most qdiscs do bandwidth rather than absolute packet counts. Then again, this would drop rather than delay... – frostschutz Oct 23 '14 at 02:29
  • I think you don't need tc, limit match is enough. – PersianGulf Oct 23 '14 at 02:43
  • @frostschutz I tried your command, but somehow I still exceed the limits. I assume you understand German, maybe I misunderstood the rules of my internet provider (link chapter "Verhinderung von Portscans, Denial of Service ,..") – Andy Oct 23 '14 at 09:22
  • @MohsenPahlevanzadeh could you give me a example for a limit match? – Andy Oct 23 '14 at 11:25
  • @Andy: the rules described there are considerably more complex than what you put in your question. (In particular limit 10 instead of 100 in most cases). I see you've edited your question since, but all other issues aside, does this thing even have any chance to work with only 10 packets per second? Also, limiting INPUT is considerably harder than OUTPUT. Control over what others send you is very indirect only... – frostschutz Oct 23 '14 at 11:36
  • thus I have to limit the INPUT and OUTPUT packet rate to 10/s ? .. but it should work with iptables? How can I see how much the packet rate of the application actually is? I guess the application should still work after this limitation, because the order of exceeded packets is the same as the order of the limit. – Andy Oct 23 '14 at 13:32
  • @Andy Looks like you found another solution but if you're getting an error saying you need root then you should go to the root account. You're going to need root access to do it with iptables or tc as well (which you're doing via sudo). The solution works and cgroups are useful for all sorts of resource limitations. But do whatever approach makes the most sense. – Bratchley Oct 23 '14 at 14:21

2 Answers2

5

The solution you found was correct:

iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT

But it is assuming a default policy of DROP or REJECT which is not usual for OUTPUT. You need to add:

iptables -A OUTPUT -j REJECT

Be sure to add this rule after the ACCEPT one. Either execute them in this order, or use -I instead of -A for the ACCEPT.

Also, depending on the application this might kill the connection. In that case try with DROP instead of REJECT or try with a different --reject-with (default is icmp-port-unreachable).

I just tested with telnet against a DVR server and it didn't kill the connection. Of course, since a new connection is an output packet, trying to reconnect right after hitting the limit will fail right away if you use REJECT.

I gather from the comments that your ISP also expects you to limit your INPUT packets... you cannot do this. By the time you are able to stop them they've already reached your NIC, which means the were already accounted for by your ISP. The INPUT packet count will also increase considerably when you limit your OUTPUT because most of the ACK won't make it out, causing lots of retransmissions.

10 packets per second is insane.

GnP
  • 2,345
  • thanks! I have to test this, will have the possibility in a few days. Do you know a command line (like ss -t -a) to have surveillance over an application? .. in order to see how many OUTPUT and INPUT packets there are – Andy Oct 24 '14 at 17:43
  • Sure. I actually use shorewall for any firewall more complex than "reject everything accept this two services". Check man 5 shorewall-accounting. – GnP Oct 24 '14 at 17:50
  • well, it works.. every connection is limited by 10 packets/s – Andy Oct 26 '14 at 22:02
  • unfortunately, the application is worthless then... looking at the IP traffic, I have to make another approach: I need to limit the connections per second... is this also possible with iptables? – Andy Oct 26 '14 at 22:05
  • Certainly, add an ACCEPT rule to match ESTABLISHED and RELATED connections right before the REJECT or DROP policy. You need conntrack for this, so I would suggest you open a new question (and link it at the end of this one) – GnP Oct 27 '14 at 14:03
  • ok, I edited the question.. I'm afraid I have no idea how to match ESTABLISHED and RELATED connections, could you help me there as well? – Andy Oct 27 '14 at 18:40
0

Syn-flood protection:

# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

Furtive port scanner:

# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

Ping of death:

# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
PersianGulf
  • 10,850