Re: per source bandwidth limit with hashlimit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I Found my mistake.

I thought it was connection-based. I was wrong
The hashlimit is working towards the package direction.
I fixed this problem (-d 192.168.59.0/24 and --haslimit-mode dstip)

Thanks.

Fatih USTA

On 07-03-2017 15:47, Fatih USTA wrote:

Hi
I tried to use hashlimit to limit the bandwidth, for each ip address on the 192.168.59.0/24 network. But did not work specified network address or protocol. 

[~]# uname -r
4.4.0-64-generic

[~]# iptables -V
iptables v1.6.0

[~]# lsmod | grep -i hashlimit
xt_hashlimit           20480  2
x_tables 36864 6 ip_tables,xt_tcpudp,xt_nat,xt_hashlimit,iptable_filter,iptable_mangle 



This command working. With tcp protocol
iptables -t mangle -I PREROUTING -m tcp -p tcp -m hashlimit --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name persource -j DROP 
iptables -t mangle -A PREROUTING -j RETURN


This commands not working.

without tcp protocol
iptables -t mangle -I PREROUTING -m hashlimit --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name persource -j DROP 
iptables -t mangle -A PREROUTING -j RETURN

or with udp protocol
iptables -t mangle -I PREROUTING -m udp -p udp -m hashlimit --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name persource -j DROP 
iptables -t mangle -A PREROUTING -j RETURN

or not working with source network
iptables -t mangle -I PREROUTING -s 192.168.59.0/24 -p tcp -m tcp -m hashlimit --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name persource -j DROP 
iptables -t mangle -A PREROUTING -j RETURN

and with hashlimit-srcmask
iptables -t mangle -I PREROUTING -s 192.168.59.0/24 -p tcp -m tcp -m hashlimit --hashlimit-srcmask 32 --hashlimit-above 50kb/sec --hashlimit-burst 50kb --hashlimit-mode srcip --hashlimit-name persource -j DROP 
iptables -t mangle -A PREROUTING -j RETURN


Do you have any idea this case?

Thanks.




--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux