Use hashlimit in iptables for speed limit

Article title: hashlimit is used in iptables to limit the speed. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Hashlimit is a matching module of iptables. it can be used in combination with other commands of iptables to implement the speed limiting function (note that the hashlimit module alone cannot be used for speed limiting ).

However, it must be clarified that hashlimit itself is only a "matching" module. We know that the basic principle of iptables is "matching-processing". hashlimit can only play a matching role in this process, and it cannot process network packets. I have seen some examples of hashlimit on the Internet saying that it is wrong to use only one iptables statement containing the hashlimit matching rule to achieve speed limit.

In fact, using hashlimit for speed limiting involves two steps:

1. release the hashlimit matching rule package

2. discard/reject unreleased packages

The following is a simple example:

Iptables-a input-p tcp -- dport 22-m hashlimit -- hashlimit-name ssh -- hashlimit 5/sec -- hashlimit-burst 10 -- hashlimit-mode srcip -- hashlimit-htable-expire 90000 -j ACCEPT

Iptables-a input-p tcp -- dport 22-j DROP

Next, let's focus on how the hashlimit module works.

The matching of hashlimit is based on the Token bucket model. The token bucket is a common buffer working principle in network communication. It has two important parameters: the capacity of the token bucket n and the token generation rate s. We can regard the token as a ticket, while the token bucket is the administrator responsible for creating and issuing tickets. it has a maximum of n tokens. At first, the administrator started to have n tokens. Every time a packet arrives, the administrator will check whether there is a token available in his hand. If yes, the token is sent to the packet, and hashlimit tells iptables that the packet is matched. When the administrator finishes sending all the tokens on the handle, the next packet will not receive the token. In this case, the hashlimit module tells iptables that this packet cannot be matched. In addition to issuing tokens, as long as the number of tokens in the token bucket is less than n, it will generate a new token at the rate of s until the number of tokens reaches n. Through the token bucket mechanism, you can effectively control the number of packets that pass (matching) in a unit time, it can also allow the passing of a large number of burst packets in a short period of time (as long as the number of packets does not exceed the token bucket n ).

The hashlimit module provides two parameters: hashlimit and -- hashlimit-burst, which correspond to the token generation rate and token bucket capacity respectively. In addition to the token bucket model, another important concept of hashlimit matching is matching. In hashlimit, each matching item has a separate token bucket for independent matching calculation. By using the -- hashlimit-mode parameter of hashlimit, you can specify four matching items and their combinations, namely, srcip (each source IP address is a matching item ), dstip (each destination IP address is a match), srcport (each source port is a match), and dstport (each destination port is a match)

In addition to the preceding three parameters, hashlimit also has a required parameter -- hashlimit-name. Hashlimit creates a file for each iptables command that calls the hashlimit module in the/proc/net/ipt_hashlimit directory, and stores information about each matching item. The -- hashlimit-name parameter is used to specify the file name.

Now, we have introduced the working principle and corresponding parameters of hashlimit. let's take a few examples.

The first is the previous example:

Iptables-a input-p tcp -- dport 22-m hashlimit -- hashlimit-name ssh -- hashlimit 5/sec -- hashlimit-burst 10 -- hashlimit-mode srcip-j ACCEPT

Iptables-a input-p tcp -- dport 22-j DROP

After learning the meanings of the hashlimit parameters, we can now understand the functions of the two iptables commands.

The purpose of the first article is to create a matching item for all different IP addresses accessing port 22 of the local machine. the matching item corresponds to a token bucket capacity of 10 and the token generation rate is 5 per second. Allow matching data packets.

The second is to discard all other data packets that access port 22 of the local machine.

Through these two commands, we have implemented the function of limiting other machines to frequent access to port 22 (ssh service) on the local machine.

Let's look at the speed limit of a complex point. Suppose we are now on a NAT gateway and want to limit the external access frequency of a CIDR block 192.168.1.2/24 on the intranet. (This is mainly used to restrict the internal poisoning host's external flood attacks)

We can do this:

Iptables-N DEFLOOD

Iptables-a forward-s 192.168.1.2/24-m state -- state NEW-j DEFLOOD

Iptables-a deflood-m hashlimit -- hashlimit-name deflood -- hashlimit 10/sec -- hashlimit-burst 10 -- hashlimit-mode srcip-j ACCEPT

Iptables-p deflood-j DROP

The first command creates a custom processing chain.

The second command, all data packets from the 192.168.1.2/24 network segment and intend to create a new network connection will be processed in the DEFLOOD chain.

The third command creates a matching item for each IP address in the DEFLOOD chain. the corresponding token bucket capacity is 10 and the generation rate is 10 per second. Allow matching data packets.

The fourth command discards all other data packets in the DEFLOOD chain.

Of course, hashlimit has some other parameters, such

-- Hashlimit-htable-expire

-- Hashlimit-htable-size

-- Hashlimit-htable-max

Man iptables

The above describes the principles and usage of the hashlimit module. Hope to help you :)

Address: http://lvsheat.blog.51cto.com/431185/142567