and_woox 0 Report post Posted April 5, 2008 I'm working with connbytes to limit the number of traffic(in/out) for a client in my network, but to no avail. For example if i would like to limit all trafic(not restricted to one client) i could use: iptables -A INPUT -m connbytes --connbytes 10000:100000 -j DROP How i would especify an ip? How can i reset this counter every month? Thank you Quote Share this post Link to post Share on other sites
and_woox 0 Report post Posted April 8, 2008 none of you know about this? Quote Share this post Link to post Share on other sites
ianw1974 11 Report post Posted April 9, 2008 Maybe something like: iptables -A INPUT -s x.x.x.x -m connbytes --connbytes 10000:100000 -j DROP replacing x.x.x.x with the IP you want to have as the source IP to monitor. Unless it's a destination IP, then change -s to -d. Quote Share this post Link to post Share on other sites
paul 9 Report post Posted April 9, 2008 iptables-save and iptables-restore will reset counters Quote Share this post Link to post Share on other sites
and_woox 0 Report post Posted April 14, 2008 iptables-save and iptables-restore will reset counters For me to use these commands i will have to work with other iptables. Is there a way for me to reset the counter in a direct way? Quote Share this post Link to post Share on other sites
ianw1974 11 Report post Posted April 14, 2008 I'm not sure how more direct you can get than using iptables-save and iptables-restore :unsure: However, if iptables is configured correctly, on an rpm distro, you can probably just do this with: service iptables restart or restart the service in the gui if you prefer not to use the command line. Make sure that /etc/sysconfig/iptables is configured to save any rules when it shuts down. Also, if for example you wanted to restart the service at the end of the month for example, if you were monitoring for a month, then you'd schedule a job in /etc/cron.monthly to restart the service for you. Then just sit back and never have to reset it yourself. Quote Share this post Link to post Share on other sites
and_woox 0 Report post Posted April 16, 2008 Thanks for the tip. I used this script for connbytes: iptables -A INPUT -s 198.168.1.196 -m connbytes --connbytes 3000000: -j DROP but my connection kept going. Do you see anything missing? Quote Share this post Link to post Share on other sites
and_woox 0 Report post Posted April 18, 2008 Hey ianw1974, what do you think? Quote Share this post Link to post Share on other sites
ianw1974 11 Report post Posted April 18, 2008 Looking at iptables man page: connbytes Match by how many bytes or packets a connection (or one of the two flows constituting the connection) have tranferred so far, or by aver- age bytes per packet. The counters are 64bit and are thus not expected to overflow;) The primary use is to detect long-lived downloads and mark them to be scheduled using a lower priority band in traffic control. The transfered bytes per connection can also be viewed through /proc/net/ip_conntrack and accessed via ctnetlink [!] --connbytes from:[to] match packets from a connection whose packets/bytes/average packet size is more than FROM and less than TO bytes/packets. if TO is omitted only FROM check is done. "!" is used to match packets not falling in the range. it looks OK, so I don't know why as I've never tried it. Quote Share this post Link to post Share on other sites