Ubuntu – Limit number of incoming packets per second for a INPUT UDP port [per IP only, not globally] [Ubuntu IPTables]

connlimitfirewalliptablesrate-limitingUbuntu

I searched and I can't find a rule to limit the count of the incoming packets for a INPUT UDP port per second and per IP.

I need that per all IPs that connect to my socket, not for a specific one.

I'm using iptables on Ubuntu 14.0.4 LTS amd64.

I am familiar how UDP works. In my scenario someone can create great number of UDP sockets using different ports.

I need only one socket from a single IP can connect to my UDP port.

Is this possible with iptables? I know Netfilter and C++, can i do this with that?

Best Answer

Here is what you can do:

iptables -A INPUT -p udp -s 111.111.111.111 --dport 123 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

You need to have limit iptables extension. The example provided limits maximum 25 connection per minute. The limit-burst 100 indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

From the manual:

-s, --source address[/mask][,...]
              Source specification. Address can be either a network name, a hostname, a network IP address (with  /mask),  or  a  plain  IP
              address.  Hostnames  will be resolved once only, before the rule is submitted to the kernel.  Please note that specifying any
              name to be resolved with a remote query such as DNS is a really bad idea.  The mask can be either an ipv4 network  mask  (for
              iptables) or a plain number, specifying the number of 1's at the left side of the network mask.  Thus, an iptables mask of 24
              is equivalent to 255.255.255.0.  A "!" argument before the address specification inverts the sense of the address.  The  flag
              --src  is an alias for this option.  Multiple addresses can be specified, but this will expand to multiple rules (when adding
              with -A), or will cause multiple rules to be deleted (with -D).

Related Solutions

Iptables, NAT: avoiding limit on max number of requests per IP by using multiple IPs

For tight control, I'd try something along the lines of:

iptables -t nat -A POSTROUTING -s INT_SRC -d EXT_SERVICE --syn --limit MAXREQ/day -j SNAT --to-source EXT_IP1
...

(then I find that's what you already tried :p)

How about using:

iptables -t nat -A POSTROUTING -s INT_SRC -d EXT_SERVICE --syn -j SNAT --to-source EXT_IP_RANGE

Apparently that variant uses a simple round-robin algorithm - I'd try that. I hope your external IPs are in a single range :)

Can't just let further requests fail on their own? Given that you have very specific requirements, I'd probably:

add a --log to the rule
write a daemon that keeps track of the number of service connections made that day and inserts a rule into the FORWARD that drops further connections to that service
have the daemon remove that rule (if present) at midnight and reset its connection count

There doesn't seem to be anything that already exists to handle exactly what you want to do.

Linux – Should I rate-limit packets with iptables

A rate limit is not a prevention but rather an invitation to DoS - especially in the flavor presented above where packets are going to be dropped if a certain rate of unauthenticated packets without state information has been exceeded. Since everybody can forge packets (including source IP addresses) at this connection state without greater effort, a new DoS attack vector leveraging your rate limit facility will arise.

A rate limit generally will only make sense if you have

either a predictable hard or a soft connection limit in your configuration
set the rate limit for general traffic below this limit in order to be able to set up connections for priority or administrative traffic regardless of the load

While 1. often is hard enough to determine to even bother, 2. will obviously only work if you are able to reliably differentiate "priority or administrative" traffic from the rest upon connection setup - e.g. if it is coming through a different network interface.

In other cases, it would rather reduce your system's resiliency than add to it.

Best Answer

Related Solutions

Iptables, NAT: avoiding limit on max number of requests per IP by using multiple IPs

Linux – Should I rate-limit packets with iptables

Related Topic