Can i have a rate limit per source IP Address in IPSet?

Can i have a rate limit per source IP Address in IPSet?

[Retesh Chadha]

I have following questions regarding iptables -

1. Say I have 2 Ips in one IPset, and a rate limiting rule as follows -

ipset -N KNOWN iphash
ipset -A KNOWN 192.168.1.89
ipset -A KNOWN 192.168.3.114
iptables -A INPUT_CHAIN -m set --set KNOWN src -m limit --limit
100/second --limit-burst 5 -j ACCEPT

I have observed that the rate limit is the cumulative limit, and not per IP.
Is it possible to have a limit of say 100pps from each IP in KNOWN IPSET.

2. Is there a limit on the number of IPs in an ipset ?

3. I have observed that the limit rate in a rule can be as much as
10000packets/per/second. If say I am using an ipset with 1000 elements
and the rate limit 10000 pps (which is a limitation and also
cumulative), then effectively per IP limit becomes 10pps which cause
the problem. Any clue how to solve this.

Thanks & Regards
Retesh Chadha

Re: Can i have a rate limit per source IP Address in IPSet?

[Deti Fliegl]

Hi,

better use match 'hashlimit' for your purpose. Example:

iptables --append FORWARD --match hashlimit --hashlimit 1/s 
--hashlimit-mode srcip --jump ACCEPT

This would limit the number of requests from an specific IP address to 
1 per second.

Regards,

Deti

Re: Can i have a rate limit per source IP Address in IPSet?

[Deti Fliegl]

Retesh Chadha wrote:
> What is hash-limit name supposed to be?
> Can you send me a sample of this file.
The hashlimit match is part of standard 2.6. kernel. For further 
documentation see
http://www.netfilter.org/patch-o-matic/pom-submitted.html#pom-submitted-hashlimit

Deti

Re: Can i have a rate limit per source IP Address in IPSet?

[Deti Fliegl]

Retesh Chadha wrote:
> But this page doesnt contain what should be kept in the foo file. I
> dont have  a sample of the same as well..
Oh well..... for example if you set '--hashlimit-name foo' a 
corresponding '/proc/net/ipt_hashlimit/foo' file will be created 
automatically with the first hashlimit match rule in your ruleset. These 
files are not writable and normally there should be no need to look into 
these files except you are a very experienced user.

Deti

Re: Can i have a rate limit per source IP Address in IPSet?

[Deti Fliegl]

Retesh Chadha wrote:
> I get following error when i do the same -
> 
> linux:~ # iptables -A INPUT --match hashlimit --hashlimit 1/s
> --hashlimit-mode srcip --hashlimit-name foo -j LOG
> iptables: No chain/target/match by that name
Make sure you have a kernel (~ >2.6.12) with 
CONFIG_IP_NF_MATCH_HASHLIMIT enabled.


Deti

Re: Can i have a rate limit per source IP Address in IPSet?

[Retesh Chadha]

Hi Deti
Big thanks for your help. I was able to set a limit per destination ip.

I have another question though. I now need to set a limit per src dst
pair, but I get a bad mode for  hashlimit-mode srcipdstip.
I give the following command -

iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
--hashlimit-mode srcip-dstip --hashlimit-name foo -m set --set KNOWN
src,dst -j ACCEPT

Thanks & Regards
Retesh Chadha

Re: Can i have a rate limit per source IP Address in IPSet?

[Deti Fliegl]

Hi,


Retesh Chadha wrote:
> I have another question though. I now need to set a limit per src dst
> pair, but I get a bad mode for  hashlimit-mode srcipdstip.
> I give the following command -
> 
> iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
> --hashlimit-mode srcip-dstip --hashlimit-name foo -m set --set KNOWN
> src,dst -j ACCEPT

There is a minor documentation bug: '--hashlimit-mode srcip,dstip' 
should work for you.

Deti