limit HTTP-GET requests per IP

Linux Netfilter discussions
 help / color / mirror / Atom feed

* limit HTTP-GET requests per IP
@ 2004-01-30 13:00 Nikolai Dahlem
  2004-01-30 15:23 ` Antony Stone
  0 siblings, 1 reply; 3+ messages in thread
From: Nikolai Dahlem @ 2004-01-30 13:00 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 469 bytes --]

Hi,

I got a problem. Various people are stupidly trying to mirror my webserver
(wget and the like), which puts heavy load on it, due to the dynamic
generation of pages. Is there a way to specify a limit on requests per
second on an ip basis ?
This is a public server, so a limit rule for each ip would be a bit too much
[2^32 too much ;-)]
One other idea is parsing the http-log an inserting rules dynamically.
Any suggestions on how to solve this ?

regards

Nikolai

[-- Attachment #2: Type: text/html, Size: 1559 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: limit HTTP-GET requests per IP
  2004-01-30 13:00 limit HTTP-GET requests per IP Nikolai Dahlem
@ 2004-01-30 15:23 ` Antony Stone
  2004-01-30 17:42   ` IPP2P module not capturing p2p traffic at all, but it seems to be working!! GoMi
  0 siblings, 1 reply; 3+ messages in thread
From: Antony Stone @ 2004-01-30 15:23 UTC (permalink / raw)
  To: netfilter

On Friday 30 January 2004 1:00 pm, Nikolai Dahlem wrote:

> Hi,
>
> I got a problem. Various people are stupidly trying to mirror my webserver
> (wget and the like), which puts heavy load on it, due to the dynamic
> generation of pages. Is there a way to specify a limit on requests per
> second on an ip basis ?

I suggest you install Squid in Accelerator mode in front of the server and use 
the delay pools facility to limit bandwidth to groups of users.

Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                     Please reply to the list;
                                                           please don't CC me.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* IPP2P module not capturing p2p traffic at all,  but it seems to be working!!
  2004-01-30 15:23 ` Antony Stone
@ 2004-01-30 17:42   ` GoMi
  0 siblings, 0 replies; 3+ messages in thread
From: GoMi @ 2004-01-30 17:42 UTC (permalink / raw)
  To: netfilter

Hi there folks :) I installed the ipp2p module v0.5a (i had 0.4 as well)
to classify p2p traffic.

I have it loaded and working:

Module                  Size  Used by    Not tainted
ipt_ipp2p               2656   2

And i have the CONNMARK module to mark traffic:

  iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
     iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
     iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 2
     iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p-data -j
MARK --set-mark 2

	OTHER MARKING DONE FOR INTERACTIVE TRAFFIC

     iptables -t mangle -A PREROUTING -m mark --mark 0 -j MARK
--set-mark 2
  iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

I have the qdiscs attached with HTB (working fine) and filters to
classify marks (also working)

But the outcome of a iptables -t mangle -L -n -v -x shows this for
ipp2p:

    pkts      bytes target     prot opt in     out     source
destination
   14097  4339998 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0          CONNMARK restore
   10067  4144428 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          MARK match !0x0
       6      504 MARK       icmp --  *      *       0.0.0.0/0
0.0.0.0/0          MARK set 0x4
       0        0 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          ipp2p v0.5a --ipp2p MARK set 0x2
       0        0 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          ipp2p v0.5a --ipp2p-data MARK set 0x2
      14      912 MARK       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:53 MARK set 0x1
     434    20812 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:80 MARK set 0x1
       0        0 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:25 MARK set 0x2
    3522   169036 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpts:0:1024 MARK set 0x1
      10     2198 MARK       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:!53 MARK set 0x2
       5      240 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:1863 MARK set 0x1
       0        0 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:1214 MARK set 0x2
       2       80 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp spt:80 MARK set 0x5
     471    22600 MARK       all  --  *      *       0.0.0.0/0
0.0.0.0/0          MARK match 0x0 MARK set 0x2
    4030   195570 CONNMARK   all  --  *      *       0.0.0.0/0
0.0.0.0/0          CONNMARK save

Any one with an idea why the hell is not recognizing traffic at all??
Thank you!!




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2004-01-30 17:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-30 13:00 limit HTTP-GET requests per IP Nikolai Dahlem
2004-01-30 15:23 ` Antony Stone
2004-01-30 17:42   ` IPP2P module not capturing p2p traffic at all, but it seems to be working!! GoMi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox