Rate limiting using iptables
<yambe:breadcrumb>Iptables configuration|Iptables configuration</yambe:breadcrumb>
Rate limiting using iptables
We can limit rate of network communication using iptables to protect against flood attacks and also to regulate network usage.
To protect against ping flood attacks
We can use 'limit' module of iptables to protect against ping flood attacks:
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 60/minute --limit-burst 120 -j ACCEPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 2 -j LOG -A INPUT -p icmp --icmp-type echo-request -j DROP
Note that the above lines will protect only against ping request attacks. To protect against generic ICMP flood attacks we can remove the constraint '--icmp-type echo-request'. This is only good enough to protect against PC to PC attacks. If flood is done using multiple sources or using hardware then this configuration may not be enough.
The configuration will also cause denial of service to other users when under attack even from single source, as we are limiting based on protocol without considering the source address of the packet.
To control network usage
We can prevent abuse of network resources by rate limiting them with iptables.
-A OUTPUT -p tcp -m tcp --dport 80 -m limit --limit 4/second --limit-burst 12 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -m limit --limit 1/minute --limit-burst 1 -j LOG -A OUTPUT -p tcp -m tcp --dport 80 -j DROP
In the above example we are limiting outgoing connections to port 80. This is useful when we cant completely block outgoing connections, say because of updates, but we do not want it to become channel from where people start browsing net or downloading.
The limit module can also be used in rate limiting incoming traffic for performance reasons.
<yambe:breadcrumb>Iptables configuration|Iptables configuration</yambe:breadcrumb>