Rate limiting using iptables

We can limit rate of network communication using iptables to protect against flood attacks and also to regulate network usage.

To protect against ping flood attacks

We can use 'limit' module of iptables to protect against ping flood attacks:

-A INPUT -p icmp --icmp-type echo-request -m limit --limit 60/minute --limit-burst 120 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 2 -j LOG
-A INPUT -p icmp --icmp-type echo-request -j DROP

Note that the above lines will protect only against ping request attacks. To protect against generic ICMP flood attacks we can remove the constraint '--icmp-type echo-request'. This is only good enough to protect against PC to PC attacks. If flood is done using multiple sources or using hardware then this configuration may not be enough.

The configuration will also cause denial of service to other users when under attack even from single source, as we are limiting based on protocol without considering the source address of the packet.

To control network usage

We can prevent abuse of network resources by rate limiting them with iptables.

-A OUTPUT -p tcp -m tcp --dport 80 -m limit --limit 4/second --limit-burst 12 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m limit --limit 1/minute --limit-burst 1 -j LOG
-A OUTPUT -p tcp -m tcp --dport 80 -j DROP

In the above example we are limiting outgoing connections to port 80. This is useful when we cant completely block outgoing connections, say because of updates, but we do not want it to become channel from where people start browsing net or downloading.

The limit module can also be used in rate limiting incoming traffic for performance reasons.