and_woox Posted April 5, 2008 Report Share Posted April 5, 2008 I'm working with connbytes to limit the number of traffic(in/out) for a client in my network, but to no avail. For example if i would like to limit all trafic(not restricted to one client) i could use: iptables -A INPUT -m connbytes --connbytes 10000:100000 -j DROP How i would especify an ip? How can i reset this counter every month? Thank you Quote Link to comment Share on other sites More sharing options...
and_woox Posted April 8, 2008 Author Report Share Posted April 8, 2008 none of you know about this? Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted April 9, 2008 Report Share Posted April 9, 2008 Maybe something like: iptables -A INPUT -s x.x.x.x -m connbytes --connbytes 10000:100000 -j DROP replacing x.x.x.x with the IP you want to have as the source IP to monitor. Unless it's a destination IP, then change -s to -d. Quote Link to comment Share on other sites More sharing options...
paul Posted April 9, 2008 Report Share Posted April 9, 2008 iptables-save and iptables-restore will reset counters Quote Link to comment Share on other sites More sharing options...
and_woox Posted April 14, 2008 Author Report Share Posted April 14, 2008 iptables-save and iptables-restore will reset counters For me to use these commands i will have to work with other iptables. Is there a way for me to reset the counter in a direct way? Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted April 14, 2008 Report Share Posted April 14, 2008 I'm not sure how more direct you can get than using iptables-save and iptables-restore :unsure: However, if iptables is configured correctly, on an rpm distro, you can probably just do this with: service iptables restart or restart the service in the gui if you prefer not to use the command line. Make sure that /etc/sysconfig/iptables is configured to save any rules when it shuts down. Also, if for example you wanted to restart the service at the end of the month for example, if you were monitoring for a month, then you'd schedule a job in /etc/cron.monthly to restart the service for you. Then just sit back and never have to reset it yourself. Quote Link to comment Share on other sites More sharing options...
and_woox Posted April 16, 2008 Author Report Share Posted April 16, 2008 Thanks for the tip. I used this script for connbytes: iptables -A INPUT -s 198.168.1.196 -m connbytes --connbytes 3000000: -j DROP but my connection kept going. Do you see anything missing? Quote Link to comment Share on other sites More sharing options...
and_woox Posted April 18, 2008 Author Report Share Posted April 18, 2008 Hey ianw1974, what do you think? Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted April 18, 2008 Report Share Posted April 18, 2008 Looking at iptables man page: connbytes Match by how many bytes or packets a connection (or one of the two flows constituting the connection) have tranferred so far, or by aver- age bytes per packet. The counters are 64bit and are thus not expected to overflow;) The primary use is to detect long-lived downloads and mark them to be scheduled using a lower priority band in traffic control. The transfered bytes per connection can also be viewed through /proc/net/ip_conntrack and accessed via ctnetlink [!] --connbytes from:[to] match packets from a connection whose packets/bytes/average packet size is more than FROM and less than TO bytes/packets. if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range. it looks OK, so I don't know why as I've never tried it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.