Linux Netfilter discussions
 help / color / mirror / Atom feed
* rate limit by MAC
@ 2009-07-01 11:04 Самусенко Андрей
  2009-07-01 11:48 ` Richard Horton
  0 siblings, 1 reply; 7+ messages in thread
From: Самусенко Андрей @ 2009-07-01 11:04 UTC (permalink / raw)
  To: netfilter

Hi!

Can iptables limit rate by MAC? Think it no.

What on Linux can do how i need?


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: rate limit by MAC
  2009-07-01 11:04 rate limit by MAC Самусенко Андрей
@ 2009-07-01 11:48 ` Richard Horton
  2009-07-01 13:19   ` Самусенко Андрей
  2009-07-01 15:44   ` Jorge Bastos
  0 siblings, 2 replies; 7+ messages in thread
From: Richard Horton @ 2009-07-01 11:48 UTC (permalink / raw)
  To: netfilter

2009/7/1 Самусенко Андрей <samusenko@msm.ru>:
> Hi!
>
> Can iptables limit rate by MAC? Think it no.
>
> What on Linux can do how i need?
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

You might be able to...

iptables -A FORWARD -m mac --mac-source <<mac address>> -m limit
--limit 100/s -j ACCEPT would restrict the given mac address to 100
packets per second... but depending on how many mac addresses you have
it might be too much to enter each rule...

The hashlimit might be better if you can use ip addresses instead of
mac addresses.

--
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery

-- 
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: rate limit by MAC
  2009-07-01 11:48 ` Richard Horton
@ 2009-07-01 13:19   ` Самусенко Андрей
  2009-07-01 15:44   ` Jorge Bastos
  1 sibling, 0 replies; 7+ messages in thread
From: Самусенко Андрей @ 2009-07-01 13:19 UTC (permalink / raw)
  To: Richard Horton; +Cc: netfilter

Thank you, Richard.
I don't knew about changing MAC on each router.
My question have not sense.
How to fight with IP spoofing? =)

Richard Horton wrote:
> 2009/7/1 Самусенко Андрей <samusenko@msm.ru>:
>   
>> Hi!
>>
>> Can iptables limit rate by MAC? Think it no.
>>
>> What on Linux can do how i need?
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>>     
>
> You might be able to...
>
> iptables -A FORWARD -m mac --mac-source <<mac address>> -m limit
> --limit 100/s -j ACCEPT would restrict the given mac address to 100
> packets per second... but depending on how many mac addresses you have
> it might be too much to enter each rule...
>
> The hashlimit might be better if you can use ip addresses instead of
> mac addresses.
>
> --
> Richard Horton
> Users are like a virus: Each causing a thousand tiny crises until the
> host finally dies.
> http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
> http://www.pbase.com/arimus - My online photogallery
>
>   

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: rate limit by MAC
  2009-07-01 11:48 ` Richard Horton
  2009-07-01 13:19   ` Самусенко Андрей
@ 2009-07-01 15:44   ` Jorge Bastos
  2009-07-01 16:19     ` Покотиленко Костик
  1 sibling, 1 reply; 7+ messages in thread
From: Jorge Bastos @ 2009-07-01 15:44 UTC (permalink / raw)
  To: Richard Horton; +Cc: netfilter

> You might be able to...
>
> iptables -A FORWARD -m mac --mac-source <<mac address>> -m limit
> --limit 100/s -j ACCEPT would restrict the given mac address to 100
> packets per second... but depending on how many mac addresses you have
> it might be too much to enter each rule...

Sawing this thread,
Iptables doesn't (still) have the capacity to do rate limit by itself,
does it?

Jorge,


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: rate limit by MAC
  2009-07-01 15:44   ` Jorge Bastos
@ 2009-07-01 16:19     ` Покотиленко Костик
  2009-07-01 17:54       ` Jorge Bastos
  0 siblings, 1 reply; 7+ messages in thread
From: Покотиленко Костик @ 2009-07-01 16:19 UTC (permalink / raw)
  To: Jorge Bastos; +Cc: Richard Horton, netfilter

В Срд, 01/07/2009 в 16:44 +0100, Jorge Bastos пишет:
> > You might be able to...
> >
> > iptables -A FORWARD -m mac --mac-source <<mac address>> -m limit
> > --limit 100/s -j ACCEPT would restrict the given mac address to 100
> > packets per second... but depending on how many mac addresses you have
> > it might be too much to enter each rule...
> 
> Sawing this thread,
> Iptables doesn't (still) have the capacity to do rate limit by itself,
> does it?

Depends on what the "rate" is, packets/time - yes, bytes/time - no.

-- 
Покотиленко Костик <casper@meteor.dp.ua>


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: rate limit by MAC
  2009-07-01 16:19     ` Покотиленко Костик
@ 2009-07-01 17:54       ` Jorge Bastos
  2009-07-02  8:33         ` Покотиленко Костик
  0 siblings, 1 reply; 7+ messages in thread
From: Jorge Bastos @ 2009-07-01 17:54 UTC (permalink / raw)
  To: ¿ÞÚÞâØÛÕÝÚÞ ºÞáâØÚ
  Cc: Jorge Bastos, Richard Horton, netfilter

>> Sawing this thread,
>> Iptables doesn't (still) have the capacity to do rate limit by itself,
>> does it?
>
> Depends on what the "rate" is, packets/time - yes, bytes/time - no.
>
Sorry forgot to specify.
It's bytes.
Oh i see, i use "tc", no problem about it, maybe in the future netfilter
will have this builtin and more simplier than tc/iproute tools.

Jorge,


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: rate limit by MAC
  2009-07-01 17:54       ` Jorge Bastos
@ 2009-07-02  8:33         ` Покотиленко Костик
  0 siblings, 0 replies; 7+ messages in thread
From: Покотиленко Костик @ 2009-07-02  8:33 UTC (permalink / raw)
  To: Jorge Bastos; +Cc: Richard Horton, netfilter

В Срд, 01/07/2009 в 18:54 +0100, Jorge Bastos пишет:
> >> Sawing this thread,
> >> Iptables doesn't (still) have the capacity to do rate limit by itself,
> >> does it?
> >
> > Depends on what the "rate" is, packets/time - yes, bytes/time - no.
> >
> Sorry forgot to specify.
> It's bytes.
> Oh i see, i use "tc", no problem about it, maybe in the future netfilter
> will have this builtin and more simplier than tc/iproute tools.

That's big question. Those two are too different.

-- 
Покотиленко Костик <casper@meteor.dp.ua>


^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2009-07-02  8:33 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-07-01 11:04 rate limit by MAC Самусенко Андрей
2009-07-01 11:48 ` Richard Horton
2009-07-01 13:19   ` Самусенко Андрей
2009-07-01 15:44   ` Jorge Bastos
2009-07-01 16:19     ` Покотиленко Костик
2009-07-01 17:54       ` Jorge Bastos
2009-07-02  8:33         ` Покотиленко Костик

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox