limit HTTP-GET requests per IP

All of lore.kernel.org
 help / color / mirror / Atom feed

* limit HTTP-GET requests per IP
@ 2004-01-30 13:00 Nikolai Dahlem
  2004-01-30 15:23 ` Antony Stone
  0 siblings, 1 reply; 3+ messages in thread
From: Nikolai Dahlem @ 2004-01-30 13:00 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 469 bytes --]

Hi,

I got a problem. Various people are stupidly trying to mirror my webserver
(wget and the like), which puts heavy load on it, due to the dynamic
generation of pages. Is there a way to specify a limit on requests per
second on an ip basis ?
This is a public server, so a limit rule for each ip would be a bit too much
[2^32 too much ;-)]
One other idea is parsing the http-log an inserting rules dynamically.
Any suggestions on how to solve this ?

regards

Nikolai

[-- Attachment #2: Type: text/html, Size: 1559 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: limit HTTP-GET requests per IP
  2004-01-30 13:00 limit HTTP-GET requests per IP Nikolai Dahlem
@ 2004-01-30 15:23 ` Antony Stone
  2004-01-30 17:42   ` IPP2P module not capturing p2p traffic at all, but it seems to be working!! GoMi
  0 siblings, 1 reply; 3+ messages in thread
From: Antony Stone @ 2004-01-30 15:23 UTC (permalink / raw)
  To: netfilter

On Friday 30 January 2004 1:00 pm, Nikolai Dahlem wrote:

> Hi,
>
> I got a problem. Various people are stupidly trying to mirror my webserver
> (wget and the like), which puts heavy load on it, due to the dynamic
> generation of pages. Is there a way to specify a limit on requests per
> second on an ip basis ?

I suggest you install Squid in Accelerator mode in front of the server and use 
the delay pools facility to limit bandwidth to groups of users.

Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                     Please reply to the list;
                                                           please don't CC me.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* IPP2P module not capturing p2p traffic at all,  but it seems to be working!!
  2004-01-30 15:23 ` Antony Stone
@ 2004-01-30 17:42   ` GoMi
  0 siblings, 0 replies; 3+ messages in thread
From: GoMi @ 2004-01-30 17:42 UTC (permalink / raw)
  To: netfilter

Hi there folks :) I installed the ipp2p module v0.5a (i had 0.4 as well)
to classify p2p traffic.

I have it loaded and working:

Module                  Size  Used by    Not tainted
ipt_ipp2p               2656   2

And i have the CONNMARK module to mark traffic:

  iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
     iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
     iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 2
     iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p-data -j
MARK --set-mark 2

	OTHER MARKING DONE FOR INTERACTIVE TRAFFIC

     iptables -t mangle -A PREROUTING -m mark --mark 0 -j MARK
--set-mark 2
  iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

I have the qdiscs attached with HTB (working fine) and filters to
classify marks (also working)

But the outcome of a iptables -t mangle -L -n -v -x shows this for
ipp2p:

    pkts      bytes target     prot opt in     out     source
destination
   14097  4339998 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0          CONNMARK restore
   10067  4144428 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          MARK match !0x0
       6      504 MARK       icmp --  *      *       0.0.0.0/0
0.0.0.0/0          MARK set 0x4
       0        0 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          ipp2p v0.5a --ipp2p MARK set 0x2
       0        0 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          ipp2p v0.5a --ipp2p-data MARK set 0x2
      14      912 MARK       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:53 MARK set 0x1
     434    20812 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:80 MARK set 0x1
       0        0 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:25 MARK set 0x2
    3522   169036 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpts:0:1024 MARK set 0x1
      10     2198 MARK       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:!53 MARK set 0x2
       5      240 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:1863 MARK set 0x1
       0        0 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:1214 MARK set 0x2
       2       80 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:80 MARK set 0x5
     471    22600 MARK       all  --  *      *       0.0.0.0/0
0.0.0.0/0          MARK match 0x0 MARK set 0x2
    4030   195570 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0          CONNMARK save

Any one with an idea why the hell is not recognizing traffic at all??
Thank you!!




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-01-30 17:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-30 13:00 limit HTTP-GET requests per IP Nikolai Dahlem
2004-01-30 15:23 ` Antony Stone
2004-01-30 17:42   ` IPP2P module not capturing p2p traffic at all, but it seems to be working!! GoMi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.