From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Nikolai Dahlem" Subject: limit HTTP-GET requests per IP Date: Fri, 30 Jan 2004 14:00:47 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0004_01C3E739.75F357E0" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0004_01C3E739.75F357E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hi, I got a problem. Various people are stupidly trying to mirror my webserver (wget and the like), which puts heavy load on it, due to the dynamic generation of pages. Is there a way to specify a limit on requests per second on an ip basis ? This is a public server, so a limit rule for each ip would be a bit too much [2^32 too much ;-)] One other idea is parsing the http-log an inserting rules dynamically. Any suggestions on how to solve this ? regards Nikolai ------=_NextPart_000_0004_01C3E739.75F357E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi,

I got = a problem.=20 Various people are stupidly trying to mirror my webserver (wget and the = like),=20 which puts heavy load on it, due to the dynamic generation of pages. Is = there a=20 way to specify a limit on requests per second on an ip basis=20 ?

This = is a public=20 server, so a limit rule for each ip would be a bit too much [2^32 too = much=20 ;-)]

One = other idea is=20 parsing the http-log an inserting rules dynamically.

Any = suggestions on=20 how to solve this ?

regards

Nikolai

------=_NextPart_000_0004_01C3E739.75F357E0-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: limit HTTP-GET requests per IP Date: Fri, 30 Jan 2004 15:23:31 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200401301523.31643.Antony@Soft-Solutions.co.uk> References: Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Friday 30 January 2004 1:00 pm, Nikolai Dahlem wrote: > Hi, > > I got a problem. Various people are stupidly trying to mirror my webserver > (wget and the like), which puts heavy load on it, due to the dynamic > generation of pages. Is there a way to specify a limit on requests per > second on an ip basis ? I suggest you install Squid in Accelerator mode in front of the server and use the delay pools facility to limit bandwidth to groups of users. Antony. -- Anyone that's normal doesn't really achieve much. - Mark Blair, Australian rocket engineer Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "GoMi" Subject: IPP2P module not capturing p2p traffic at all, but it seems to be working!! Date: Fri, 30 Jan 2004 18:42:10 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: References: <200401301523.31643.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200401301523.31643.Antony@Soft-Solutions.co.uk> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hi there folks :) I installed the ipp2p module v0.5a (i had 0.4 as well) to classify p2p traffic. I have it loaded and working: Module Size Used by Not tainted ipt_ipp2p 2656 2 And i have the CONNMARK module to mark traffic: iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p-data -j MARK --set-mark 2 OTHER MARKING DONE FOR INTERACTIVE TRAFFIC iptables -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -j CONNMARK --save-mark I have the qdiscs attached with HTB (working fine) and filters to classify marks (also working) But the outcome of a iptables -t mangle -L -n -v -x shows this for ipp2p: pkts bytes target prot opt in out source destination 14097 4339998 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore 10067 4144428 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match !0x0 6 504 MARK icmp -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x4 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.5a --ipp2p MARK set 0x2 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 ipp2p v0.5a --ipp2p-data MARK set 0x2 14 912 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 MARK set 0x1 434 20812 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 MARK set 0x1 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 MARK set 0x2 3522 169036 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1024 MARK set 0x1 10 2198 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:!53 MARK set 0x2 5 240 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863 MARK set 0x1 0 0 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1214 MARK set 0x2 2 80 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 MARK set 0x5 471 22600 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x0 MARK set 0x2 4030 195570 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save Any one with an idea why the hell is not recognizing traffic at all?? Thank you!!