IPtables Traffic Quota - up and down

Question

I've been trying to set up traffic quotas for users on a shared server and i believe [with my limited knowledge] that iptables --quota and ports which have been selected for each user [--dport] is the way to do this...

iptables -A OUTPUT --dport 1,2,3,4... --quota 123412341234 -j ACCEPT
iptables -A OUTPUT --dport 1,2,3,4... -j DROP

I think something like this would work to limit the traffic [and reset every month] but its only for traffic going out.

Is there something I could do to combine -A OUTPUT and -A INPUT into one quota?
Or, is there a different method I could use to achieve the same thing more efficiently?

OS is debian squeeze

Thanks.

Let me ask you a question first: Do you want the quota to apply to **the sum** of INPUT + OUTPUT? — pepoluan, Mar 09 '11 at 04:04

score 5 · Accepted Answer · answered Mar 10 '11 at 07:31

5

If you want to apply quota to both incoming and outgoing, you'd do it like this:

-A OUTPUT -p tcp --sport $PORTNUM_1 -g filter_quota_1
-A OUTPUT -p tcp --sport $PORTNUM_2 -g filter_quota_2
<other OUTPUT rules for other users>
-A INPUT  -p tcp --dport $PORTNUM_1 -g filter_quota_1
-A INPUT  -p tcp --dport $PORTNUM_2 -g filter_quota_2
<other INPUT rules>
-A filter_quota_1 -m quota --quota $QUOTA_1 -g chain_where_quota_not_reached
-A filter_quota_1 -g chain_where_quota_is_reached
-A filter_quota_2 -m quota --quota $QUOTA_2 -g chain_where_quota_not_reached
-A filter_quota_2 -g chain_where_quota_is_reached
<other filter_quota_N chains>

When you want to reset quota #N, you'd do iptables -F filter_quota_N and then re-populate filter_quota_N.

Since the rules are mostly similar, you really should consider automation with bash (or other scripting language of your choice)

answered Mar 10 '11 at 07:31

pepoluan

4,918
3
43
71

Thank you so much! - I could simply replace "-g chain_where_quota_is/not_reached" with a simple "-j ACCEPT/DROP" to start with something simple right? - Also what's the reason for "-p tcp", would there be any reason to include udp too? – Nick Mar 10 '11 at 22:19
@Nick `where_quota_not_reached` can be replaced with ACCEPT. but I suggest having a LOG+DROP pair in `where_quota_is_reached`, so you can easily find out if a user has hit her quota. the `-p tcp` is necessary to use `--dport` and `--sport`. UDP traffic generally is negligible, but if you want to monitor it, too, add similar rules but replacing `-p tcp` with `-p udp` – pepoluan Mar 10 '11 at 23:43
Thanks for all your help, can't vote you up though :/ – Nick Mar 11 '11 at 20:34
@Nick heh, no problem, don't lose your sleep over it :) ... glad to be of help :) – pepoluan Mar 12 '11 at 03:24
No need to flush the chain and repopulate it ... just zero out the counters and you should be done. – Dec 05 '15 at 22:15

IPtables Traffic Quota - up and down

1 Answers1

Linked