set connection limit via iptables

Question

I want to limit the IP traffic of an application (AceStream Player). The problem is that I get disconnected, if too many IP connections are established.

Does anyone know, how to use iptables to limit the connections to e.g. 10/second?

Inspirated by the answer below, I tried:

$iptables -A OUTPUT -p tcp --dport 8621 -m limit --limit 10/s -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 8621 -j DROP

This seems to limit the connections, but somehow to a lower limit like 2-3/sec. Do the upper rules limit the connections or packets to 10/sec?

Is it also possible to delay the connections by using QUEUE instead of DROP?

I used iptraf to look at the TCP connections.. the source host seems to be my IP, thus I would guess output.. does it work for both? — Andy, Oct 27 '14 at 18:47
Not a problem guys, when I looked at these 2 Q's they looked like dups to me, reopening! — slm, Oct 28 '14 at 19:37
If you want to slow down and effectively queue packets, then look at tc — SailorCire, Oct 29 '14 at 13:37

score 2 · Answer 1 · answered Oct 28 '14 at 01:46

2

This can easily be done with the --limit option.

For example, iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/s -j ACCEPT should be a good place to get started.

I also recommend looking at Linux iptables pocket reference by Gregor Purdy (ISBN: 0-596-00569-5). I use it any time I have a question with iptables.

answered Oct 28 '14 at 01:46

SailorCire

2,503

thanks for the reference, but I still can't find a useful rule... I assume I need also a REJECT rule for iptables? – Andy Oct 28 '14 at 18:58

score 1 · Accepted Answer · edited Apr 13 '17 at 12:36

You need to limit the rate at which new connections are established. If you simply use -m limit you would be limiting the packet rate, regardless of whether it's a new connection packet or a data packet for an existing connection.

According to this question you can use -m state for that. The whole iptables ruleset would be:

iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j REJECT

You may prefer to fine tune this rules a little, the way they are they match anything coming out.

For instance, to only limit tcp connections this way, and leave anything else through:

iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -j REJECT

Note that I only changed the last rule, everything else will be accepted by default or fall down to your other rules.

To go further you should really learn iptables. @sailor already pointed you to a great book on the subject. There are plenty of good resources online as well. Once you get the concepts handled by iptables (chains, tables, rules and policies) you'll find man 8 iptables has all the answers.

Using a frontend to iptables is also a good option if you don't have the time to get deep into iptables. I use shorewall for most firewalls I manage.

thx! how could I fine tune the rules in order to limit only TCP connections? — Andy, Oct 29 '14 at 09:58
I added teh codez. Regarding the somewhat lower limit you see, read up on burst or --limit-burst. — GnP, Oct 29 '14 at 15:04

set connection limit via iptables

2 Answers2

Linked