2

On Linux, can I use tools like tc, iptables or others to control/shape network traffic on a network interface, for the following purposes:

  1. Control the network packet number rate (or the total number).
  2. Control the number of IP addresses connected (sent).
  3. Control the total number of open TCP connections (per second).

If so, how to do that?

Thomas
  • 4,155
  • 5
  • 21
  • 28
WindChaser
  • 123
  • 1
  • 6

2 Answers2

2

I don't have an answer for nr. 2 (see below). For 1. and 3. you can use the limit module:

  1. Control the network packet number rate: 

    iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT

  2. Control the total number of open TCP connections (per second): 

    iptables -A INPUT -m state -m tcp -p tcp --dport 80 --state RELATED,ESTABLISHED -m limit --limit 10/second -j ACCEPT

Alternatively you can use the hashlimit module:

  1. Control the network packet number rate: 

    iptables -A INPUT -m hashlimit -m tcp -p tcp --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-above 10/sec --hashlimit-burst 2 --hashlimit-htable-expire 30000 --hashlimit-name pktlimit -j DROP

  2. Control the total number of open TCP connections (per second): 

    iptables -I INPUT -m hashlimit -m tcp -p tcp --dport 80 --hashlimit-above 10/sec --hashlimit-mode srcip --hashlimit-name connlimit -m state --state RELATED,ESTABLISHED -j DROP

You can monitor how hashlimit is performing for you by looking at:

cat /proc/net/ipt_hashlimit/pktlimit
cat /proc/net/ipt_hashlimit/connlimit

EDIT:

In a world where NAT is dominant, does it really make sense to limit the number of source IP addresses like you want to do in nr. 2? I think it makes more sense to limit the total number of open TCP connections, like this:

iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
George Udosen
  • 203
  • 2
  • 11
Luca Gibelli
  • 2,611
  • 1
  • 21
  • 29
  • iplimit is not available in my version... – WindChaser May 12 '18 at 06:01
  • it would help to know which is 'your version' :) – Luca Gibelli May 12 '18 at 10:35
  • iptables v1.6.1 on Ubuntu 18.04; and iptables v1.4.21 on CentOS. – WindChaser May 14 '18 at 04:45
  • what's the reason for limiting the number of ip addresses? Doesn't it make more sense to limit the number of tcp connections? With your original request an attacker with a single IP could open any number of tcp connections by opening connections at a rate just a tad slower than the limit. See my updated answer. – Luca Gibelli May 14 '18 at 06:23
0

Regarding your question 1.)

As far as I understand the tool tc you can control the rate / throughput in kbit or mbit. The manpage of tc mentions also a

b or a bare number in Bytes.

Since it is not clear what is the background of your questions, the intension, what your try to achieve and the solution / topic to broad, I like to refer to available tutorials for traffic control like on Archlinux.

There are also threads on Serverfault available, i.e. How to do traffic shaping (rate limiting) with TC per OpenVPN client or Linux control packet size for specific IP address.

They may give hints for your questions 2.) and 3.) too.

U880D
  • 597
  • 7
  • 17