top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Limit based on req/sec and connections/sec plus accounting in IPTABLE

+2 votes
308 views

I am trying to limit the amount of connections/sec and requests/sec my server sends to a single destination IP. At the same time I am looking to account/poll periodically what those values are for statistics .

Is there a simple way I can accomplish this with iptables or some other feature in the linux kernel?

posted Aug 6, 2013 by Sumit Pokharna

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
+1 vote

I have a situation where I want to round-robin new http connections to different ports, but i'm finding that the following is resulting in a significant amount "falling through" to my catch-all on port 9000, rather than being evenly distributed across 8080-8084.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 0 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 1 -j REDIRECT --to-port 8081
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 2 -j REDIRECT --to-port 8082
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 3 -j REDIRECT --to-port 8083
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 4 -j REDIRECT --to-port 8084
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 9000

it's about 80-20, where 80% are evenly distributed amongst 8080-8084 and 20% are winding up on 9000.

I'd prefer 100% evenly distributed on 8080-8084 and none on 9000. I put 9000 there as a catch-all "hack" because i found connections were failing to be caught by the 8080-8084 range.

0 votes

I am trying to queue the packets of a process so I can use libnetfilter_queue to modify them.

I read in the documentation that I should use --pid-owner processid to filter packets of a process and iptables -I

  -j NFQUEUE --queue-num  to add them to the queue.

I read the documentation but I am still confused how to do this. If any one can help me to understand this command I would appreciate it a lot.

+2 votes

Does the rule 'iptables -I INPUT -m state --state INVALID -j DROP' get rid of those scans? Also, what exactly does INVALID match?

+2 votes

I have an application that is listening only on the loopback by default, on port 8100.
Is there any way i can use iptables to make this accessible from outside?

+1 vote

I am trying to use byte counters to know how much total data is transferred from an IP. However, simple test with ping shows that it counts 14 bytes less, probably ignoring later 2 header.

Is my understanding correct or am I missing something in this?

...