1

I have D-Link Router DSL-2730U that support busybox OS and iptables version 1.4.0

I managed successfully to block the host for being connect to the internet using the following command

block by ip address

iptables -I  FORWARD -d 192.168.1.6 -j DROP

Or By mac source 

iptables -I FORWARD -m mac --mac-source bc:20:a4:ff:79:80 -j DROP

The only problem now i have is trying to limit transfer speed rate (upload & download) to be only serve 30/kbps by MAC Address using iptables

I tried to make iptables rule like 

iptables -I FORWARD -m mac --mac-source bc:20:a4:ff:79:80 -m state --state RELATED,ESTABLISHED -m limit --limit 100/second --limit-burst 30 -j ACCEPT

But it didn't work

Note : this router cannot modify , delete or add any files . i cannot make a bash or script file inside the router run , and unfortunately the iptables connlimit module not supported in this iptables version too

iLinux85
  • 361
  • 3
  • 5
  • 10
  • It doesn't make much sense to call a source rule (--mac-source) an alternative to a destination rule (-d)... You can limit the bandwidth with traffic shaping (tc), too, but if connlimit isn't available that raises the question whether tc is. – Hauke Laging Feb 08 '15 at 11:23
  • 1
    --limit doesn't do what you appear to think it does, and you can't limit traffic speed with iptables. Instead use tc to manage traffic shaping. Have a search for myshaper, amongst other utilities. – Chris Davies Feb 08 '15 at 13:14
  • Not true, @roaima: you can limit speeds with iptables, by simple expedient of dropping packets that would push you over the set rate. It is not as precise as tc, because of how dropped TCP packets interact with various resending and congestion avoidance algorithms, but it guarantees you won't go over the limit. – Davor Cubranic May 07 '20 at 17:49
  • For a full-blown example using tc, you can find myshaper.sh at http://www.tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/implementation.html – Davor Cubranic May 07 '20 at 17:52

2 Answers2

1

You can limit speed by iptables, like this. 

iptables -I FORWARD -d 192.168.1.6 -j DROP
iptables -I FORWARD -d 192.168.1.6 -m limit --limit 100/sec -m state --state ESTABLISHED -j ACCEPT

But in not very convenient, because "limit" limits by packets, not bytes per seconds. If we suppose 1 packet = 1500 bytes, 100 packets/s = 150 KB/s. But some protocols with smaller packets will work slower. Also this may cause sudden disconnections.

However, if you must limit traffic in router, there is not much choice, often iptables is the only utility on router to do this.

Note that, "limit" and "drop" rules should be in right order. First rule limits and allow traffic, second rule blocks traffic over the limit.

user3585447
  • 11
  • 1
    As presented, the statement sequence is equivalent to only the first line by itself. You need to place the first line as the second line. That way, the limiting function does limit and the next one drops everything else. – Eric Marceau Sep 22 '22 at 18:49
0

There is a project called DDos-Deflate that blocks IP addresses that exceed a limit, and it can help you in your case

https://github.com/jgmdev/ddos-deflate

acgbox
  • 941