limit max UDP bandwidth per IP using iptables?

0

1

'm using a VPS to host a VPN for DDoS protection, but I've been wanting to find a way to rate-limit UDP traffic per IP to prevent UDP floods. I'm looking for something to only allow X MBPS of traffic to each IP, and to ignore this IP if it's traffic exceeds X MBPS

I mainly want to prevent DoS from perl/shell scripts, as these seem to still be effective in disrupting operation of the VPN

Is this possible?

If so, could someone help me out with a method of implementing this using iptables?

Ecstasy

Posted 2019-11-13T19:42:52.933

Reputation: 116

You want to use QoS for this, which means the tc command, not iptables. tc is extremely difficult, but you can use fireqos and its online tutorial to setup a traffic shaping script without too much work. – LawrenceC – 2019-11-13T20:34:58.653

Answers

1

What you are trying to do will not prevent DDos attacks, instead it will limit the bandwidth, that means low network performance, so i suggest you to limit the number of UDP received packets per second :

1- Watch the UDP coming through the nic :

iptables -I INPUT -p udp -i <nic> -m state --state NEW -m recent --set

2- Drop the packets exceeding n coming through your nic during t seconds :

iptables -I INPUT -p udp -i <nic> -m state --state NEW -m recent --update --seconds <t> --hitcount <n> -j DROP

Reda Salih

Posted 2019-11-13T19:42:52.933

Reputation: 144

It would prevent the DoS attacks, because it would only allow X MB/s per IP address, meaning if an IP address is sending 5GBPS, only X MB/s would be acknowledged. The rest would be dropped. https://ddosfilter.net/projects/ has a Layer 7 version of the kind of script I am looking for. Only allow X MB/s from each separate IP address and ignore excess traffic (and possibly blacklist IPs that reach X+100MB/s for a short time, completely dropping traffic from the offending IP for ~10m)

– Ecstasy – 2019-11-14T15:25:26.060

Asked: 2019-11-13T19:42:52.933

Viewed: 124 times

Active: 2019-11-13T20:29:04.307