4

According to the iptables-extensions man page hashlimit can do bandwidth limiting:

"flows exceeding 512kbyte/s" =>

--hashlimit-mode srcip,dstip,srcport,dstport --hashlimit-above 512kb/s

However, when I try to specify a rule like that, 1) it doesn't limit my bandwidth as I expect, 2) when I dump the rules with iptables-save, I get the same entries no matter what I put after the number (kb/s, b/s, /sec, something silly, or nothing at all):

# iptables -t filter -A it2net -s 10.5.2.43/32 -m hashlimit --hashlimit-upto 8kb/s --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.44/32 -m hashlimit --hashlimit-upto 8b/s --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.45/32 -m hashlimit --hashlimit-upto 8 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.46/32 -m hashlimit --hashlimit-upto 8000 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.47/32 -m hashlimit --hashlimit-upto 8000b --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.48/32 -m hashlimit --hashlimit-upto 8000xb --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
# iptables -t filter -A it2net -s 10.5.2.49/32 -m hashlimit --hashlimit-upto 8000kb --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT

And the relevant parts of the dump:

-A it2net -s 10.5.2.43/32 -m hashlimit --hashlimit-upto 8/sec --hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.44/32 -m hashlimit --hashlimit-upto 8/sec --hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.45/32 -m hashlimit --hashlimit-upto 8/sec --hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.46/32 -m hashlimit --hashlimit-upto 10000/sec --hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.47/32 -m hashlimit --hashlimit-upto 10000/sec --hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.48/32 -m hashlimit --hashlimit-upto 10000/sec --hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT
-A it2net -s 10.5.2.49/32 -m hashlimit --hashlimit-upto 10000/sec --hashlimit-burst 5 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j ACCEPT

(let's not worry about why 8000 is rounded up to 10000 ... or, should we?)

Any ideas what I'm missing? I would need to limit the bandwidth use of about 100 constantly changing users individually, so each would have only a very low limit to allow basic services (especially stupid mobile apps that can't use proxy authentication), but require signing in for everything else.

dakhota
  • 41
  • 1
  • 3
  • 1
    Solution: I'm 3 minor versions behind. Byte-based hashlimit is introduced in iptables 1.4.15 (Ubuntu 13.04 has 1.4.12) – dakhota Aug 27 '13 at 20:11
  • 3
    Please post your solution as an actual answer when it lets you. Then accept your answer as the right one. This could assist others in the future with the same problem. – TheCleaner Aug 27 '13 at 21:45

2 Answers2

2

To quote the OP, as the answer is in a comment

Solution: I'm 3 minor versions behind. Byte-based hashlimit is introduced in iptables 1.4.15 (Ubuntu 13.04 has 1.4.12) – dakhota

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
1

Your rules ACCEPT packets up to a certain rate, but is there anything after that that DROP the traffic when it doesn't match the rules? Either default chain policy (-P) or an explicit rule...

What you could do is change your rules to DROP traffic with --hashlimit-above; ex:

# iptables -t filter -A it2net -s 10.5.2.43/32 -m hashlimit --hashlimit-above 8kb/s --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j DROP
# iptables -t filter -A it2net -s 10.5.2.44/32 -m hashlimit --hashlimit-above 8b/s --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j DROP
# iptables -t filter -A it2net -s 10.5.2.45/32 -m hashlimit --hashlimit-above 8 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j DROP
# iptables -t filter -A it2net -s 10.5.2.46/32 -m hashlimit --hashlimit-above 8000 --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j DROP
# iptables -t filter -A it2net -s 10.5.2.47/32 -m hashlimit --hashlimit-above 8000b --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j DROP
# iptables -t filter -A it2net -s 10.5.2.48/32 -m hashlimit --hashlimit-above 8000xb --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j DROP
# iptables -t filter -A it2net -s 10.5.2.49/32 -m hashlimit --hashlimit-above 8000kb --hashlimit-mode dstip --hashlimit-name test --hashlimit-htable-expire 3600000 -j DROP

The other options: default chain policy (it will block all traffic that doesn't match these rules), or explicit rules matching the same traffic you accept and dropping it when it doesn't match the ACCEPT hashlimit rules.

As for the way hashlimit mangles your rules, it looks rather odd. Will it do the same if you use distinct table names? I think it's either that you have an older version that doesn't support it, or it somehow take the /s as /sec and assumes everything else for the table is per second.

Thomas Guyot-Sionnest
  • 449
  • 4
  • 6