IPTables Traffic Quota – Setting Up Traffic Quota on Linux

debianiptableslinuxquotatraffic

I've been trying to set up traffic quotas for users on a shared server and i believe [with my limited knowledge] that iptables –quota and ports which have been selected for each user [–dport] is the way to do this…

iptables -A OUTPUT –dport 1,2,3,4… –quota 123412341234 -j ACCEPT
iptables -A OUTPUT –dport 1,2,3,4… -j DROP

I think something like this would work to limit the traffic [and reset every month] but its only for traffic going out.

  • Is there something I could do to combine -A OUTPUT and -A INPUT into one quota?
  • Or, is there a different method I could use to achieve the same thing more efficiently?

OS is debian squeeze

Thanks.

Best Answer

If you want to apply quota to both incoming and outgoing, you'd do it like this:

-A OUTPUT -p tcp --sport $PORTNUM_1 -g filter_quota_1
-A OUTPUT -p tcp --sport $PORTNUM_2 -g filter_quota_2
<other OUTPUT rules for other users>
-A INPUT  -p tcp --dport $PORTNUM_1 -g filter_quota_1
-A INPUT  -p tcp --dport $PORTNUM_2 -g filter_quota_2
<other INPUT rules>
-A filter_quota_1 -m quota --quota $QUOTA_1 -g chain_where_quota_not_reached
-A filter_quota_1 -g chain_where_quota_is_reached
-A filter_quota_2 -m quota --quota $QUOTA_2 -g chain_where_quota_not_reached
-A filter_quota_2 -g chain_where_quota_is_reached
<other filter_quota_N chains>

When you want to reset quota #N, you'd do iptables -F filter_quota_N and then re-populate filter_quota_N.

Since the rules are mostly similar, you really should consider automation with bash (or other scripting language of your choice)

Related Topic