December 14, 2022

iptables limits the speed of each IP

 
Limit the packets coming to the server per IP:
iptables -A INPUT -s server IP address -m limit –limit 200/s -j ACCEPT
iptables -A INPUT -s 192.168.1.100 -m limit –limit 200/s -j ACCEPT

Limit the packets each client downloads from the server:
iptables -A OUTPUT -s server IP address -m limit –limit 200/s -j ACCEPT
iptables -A OUTPUT -s 192.168.1.100 -m limit –limit 200/s -j ACCEPT

Here 192.168.1.100 is the IP address of the server, you can modify it to the IP address of your own server according to your needs

iptables limits the upload speed of an IP to 1000KB/s (8Mbps, inflow server bandwidth), that is, the speed of wget on the server or VPS where this IP is located

iptables -A FORWARD -m limit -d 208.8.14.53 --limit 700/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -d 208.8.14.53 -j DROP

Cancel iptables speed limit:

iptables -D FORWARD -m limit -d 208.8.14.53 --limit 700/s --limit-burst 100 -j ACCEPT
iptables -D FORWARD -d 208.8.14.53 -j DROP

Limit the upload speed of a certain IP to 2000KB/s (16Mbps, incoming server bandwidth), which is the speed of wget on the server or VPS where this IP is located

iptables -A FORWARD -m limit -d 208.8.14.53 --limit 1400/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -d 208.8.14.53 -j DROP

Remove restrictions:

iptables -D FORWARD -m limit -d 208.8.14.53 --limit 1400/s --limit-burst 100 -j ACCEPT
iptables -D FORWARD -d 208.8.14.53 -j DROP

If you want to limit the download speed of a certain IP (that is, the bandwidth/speed downloaded by netizens through web pages) refer to

iptables -A FORWARD -s 208.8.14.36 -m limit --limit 700/s -j ACCEPT
iptables -A FORWARD -s 208.8.14.36 -j DROP

Two-way restriction:

iptables -A FORWARD -m limit -d 208.8.14.53 --limit 2400/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -d 208.8.14.53 -j DROP
iptables -A FORWARD -m limit -s 208.8.14.53 --limit 2400/s --limit-burst 100 -j ACCEPT
iptables -A FORWARD -s 208.8.14.53 -j DROP

The limit of Iptables matches the general introduction of ctohome.com

Limit the frequency or rate of matching data packets. See clearly, it is used to limit the frequency and rate of matching data packets. The word "limit" here is often misunderstood by others as "restricted". In fact, it should be " Match at a certain rate", as for "limit" or "release", it is realized by the -j action later, limit is just a match module, its function is matching, and the matching method is at a certain rate.

Use the limit module of iptables, the target is ACCEPT. When you set 300/s, it sends out a token about every 3ms, the packet that gets the token can be sent out, and the packet that doesn’t get the token can only wait for the next token to arrive , so that some packets will not be lost, and it will not cause the so-called "disconnection".

The following two are the burst restrictions on icmp

iptables -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
iptables -A INPUT -p icmp -j DROP

The first ipables means to limit the ping packets to one per second, and restart after 10.

At the same time, IP fragments can be limited, only 100 fragments are allowed per second, which is used to prevent DoS attacks.

iptables -A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT

The following ctohome.com describes in detail the function of the limit module of iptables:

Limit incoming ping (echo-request) speed
Before the limit, it can normally ping once every 0.2 seconds
ping your.linux.ip -i 0.2

Limit accepting only one icmp echo-request packet per second
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

--limit 1/s means once per second; 1/m means once per minute
--limit-burst indicates the maximum number of times the limit is allowed to be triggered (default 5)

Then ping once every 0.2 seconds, the response is once every second
ping your.linux.ip -i 0.2

The following rules can also achieve only one echo-request packet per second
iptables -N pinglimit
iptables -A pinglimit -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A pinglimit -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j pinglimit

Explanation of the principle of iptables speed limit:

iptables limit parameter
· Limit the incoming speed of specific packets
· Limit specific port access frequency
· iptables Log record parameter memo
· Custom Chain usage notes
· Prevention and treatment of SYN-Flood fragment attacks
Limit incoming ping (echo-request) speed
Before the limit, it can normally ping once every 0.2 seconds
ping your.linux.ip -i 0.2
Limit accepting only one icmp echo-request packet per second
iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s –limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-request -j DROP
--limit 1/s means once per second; 1/m means once per minute
--limit-burst Indicates the maximum number of times the limit is allowed to be triggered (default 5)
Then ping once every 0.2 seconds, the response is once every second
ping your.linux.ip -i 0.2

Limit ssh connection frequency
Create a custom Chain, limit the tcp connection once per minute, and trigger the Log record if it exceeds (recorded in /var/log/messages)
iptables -N ratelimit
iptables -A ratelimit -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A ratelimit -p tcp –syn -m limit –limit 1/m –limit-burst 1 -j ACCEPT
iptables -A ratelimit -p tcp -j LOG –log-level “NOTICE” –log-prefix “[RATELIMIT]”
iptables -A ratelimit -p tcp -j DROP
Reference custom Chain, limit ssh (tcp port 22) connection frequency
iptables -A INPUT -p tcp –dport 22 -s 192.168.0.0/16 -j ACCEPT (specific IP sources are not restricted)
iptables -A INPUT -p tcp –dport 22 -j ratelimit

sshd_config setting notes:
· LoginGraceTime 30 Password input time limit is 30 seconds
· MaxAuthTries 2 can only enter the password up to 3 times
The same reason can be proved
iptables -N pinglimit
iptables -A pinglimit -m limit –limit 1/s –limit-burst 1 -j ACCEPT
iptables -A pinglimit -j DROP
iptables -A INPUT -p icmp –icmp-type echo-request -j pinglimit
It is also possible to accept only one echo-request packet per second
Supplement: Clear custom Chain
iptables -L -n –line-number
iptables -D INPUT n
iptables -F ratelimit
iptables -X ratelimit

Leave a Reply

Your email address will not be published. Required fields are marked *