4

I want to limit the IP traffic of an application (AceStream Player). The problem is that I get disconnected, if too many IP connections are established.

Does anyone know, how to use iptables to limit the connections to e.g. 10/second?

Inspirated by the answer below, I tried:

$iptables -A OUTPUT -p tcp --dport 8621 -m limit --limit 10/s -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 8621 -j DROP

This seems to limit the connections, but somehow to a lower limit like 2-3/sec. Do the upper rules limit the connections or packets to 10/sec?

Is it also possible to delay the connections by using QUEUE instead of DROP?

Improve this question
4
  • input or output connections?
    – Braiam
    Commented Oct 27, 2014 at 18:42
  • I used iptraf to look at the TCP connections.. the source host seems to be my IP, thus I would guess output.. does it work for both?
    – Andy
    Commented Oct 27, 2014 at 18:47
  • Not a problem guys, when I looked at these 2 Q's they looked like dups to me, reopening!
    – slm
    Commented Oct 28, 2014 at 19:37
  • If you want to slow down and effectively queue packets, then look at tc
    – SailorCire
    Commented Oct 29, 2014 at 13:37

2 Answers 2

Reset to default
2

This can easily be done with the --limit option.

For example, iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/s -j ACCEPT should be a good place to get started.

I also recommend looking at Linux iptables pocket reference by Gregor Purdy (ISBN: 0-596-00569-5). I use it any time I have a question with iptables.

Improve this answer
1
  • thanks for the reference, but I still can't find a useful rule... I assume I need also a REJECT rule for iptables?
    – Andy
    Commented Oct 28, 2014 at 18:58
1

You need to limit the rate at which new connections are established. If you simply use -m limit you would be limiting the packet rate, regardless of whether it's a new connection packet or a data packet for an existing connection.

According to this question you can use -m state for that. The whole iptables ruleset would be:

iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j REJECT

You may prefer to fine tune this rules a little, the way they are they match anything coming out.

For instance, to only limit tcp connections this way, and leave anything else through:

iptables -A OUTPUT -m limit --limit 10/s -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -j REJECT

Note that I only changed the last rule, everything else will be accepted by default or fall down to your other rules.

To go further you should really learn iptables. @sailor already pointed you to a great book on the subject. There are plenty of good resources online as well. Once you get the concepts handled by iptables (chains, tables, rules and policies) you'll find man 8 iptables has all the answers.

Using a frontend to iptables is also a good option if you don't have the time to get deep into iptables. I use shorewall for most firewalls I manage.

Improve this answer
2
  • thx! how could I fine tune the rules in order to limit only TCP connections?
    – Andy
    Commented Oct 29, 2014 at 9:58
  • I added teh codez. Regarding the somewhat lower limit you see, read up on burst or --limit-burst.
    – GnP
    Commented Oct 29, 2014 at 15:04

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .