How to Rate Limit Incoming Traffic by Source IP Address Using iptables


2 views

When you need to throttle bandwidth for specific clients while maintaining normal service for others, IP-based rate limiting becomes essential. This differs from service-based throttling as it affects all services from that IP.

We'll use the hashlimit module in iptables which provides more granular control than the simpler limit module. The key components we need:


# Basic structure
iptables -A INPUT -s 192.168.1.100 -m hashlimit \
    --hashlimit-name john_limits \
    --hashlimit-above 10kb/sec \
    --hashlimit-burst 20kb \
    --hashlimit-mode srcip \
    -j DROP

For a production environment, we should implement this more carefully:


# Create a dedicated chain for rate limiting
iptables -N RATE_LIMIT

# Add the specific IP rule
iptables -A RATE_LIMIT -s 192.168.1.100 \
    -m hashlimit \
    --hashlimit-name client_john \
    --hashlimit-above 10kb/sec \
    --hashlimit-burst 20kb \
    --hashlimit-htable-expire 3600000 \
    --hashlimit-mode srcip \
    -j DROP

# Apply to incoming traffic
iptables -A INPUT -p tcp --dport 80 -j RATE_LIMIT
iptables -A INPUT -p tcp --dport 21 -j RATE_LIMIT

For more precise control, consider these parameters:

  • --hashlimit-htable-size: Bucket size for hash table
  • --hashlimit-htable-max: Maximum entries
  • --hashlimit-htable-expire: Expiration time for old entries

# Example with advanced parameters
iptables -A RATE_LIMIT -s 192.168.1.100 \
    -m hashlimit \
    --hashlimit-name advanced_limit \
    --hashlimit-above 10240/s \
    --hashlimit-burst 20480 \
    --hashlimit-htable-size 1024 \
    --hashlimit-htable-max 1000 \
    --hashlimit-htable-expire 900000 \
    --hashlimit-mode srcip \
    -j DROP

Check your rules with:


iptables -L RATE_LIMIT -v -n

Monitor current hashlimit states:


cat /proc/net/ipt_hashlimit/client_john

Remember that:

  • These rules affect all traffic from the IP, not just specific ports
  • Rate limiting happens after connection establishment
  • For UDP services, additional handling may be needed

When dealing with network traffic management, sometimes you need to throttle bandwidth for specific IP addresses rather than services. This becomes particularly useful in scenarios where:

  • Certain clients are consuming excessive bandwidth
  • You want to implement fair usage policies
  • You need to prevent abuse from specific sources

The hashlimit module in iptables provides the perfect mechanism for IP-based rate limiting. Here's the basic syntax:

iptables -A INPUT -p tcp -s 192.168.1.100 -m hashlimit \
--hashlimit-name john_limit \
--hashlimit-above 10kb/s \
--hashlimit-burst 5 \
--hashlimit-mode srcip \
-j DROP

Let's examine each component:

  • -s 192.168.1.100: Specifies the source IP to limit
  • --hashlimit-name: Creates a named bucket for tracking
  • --hashlimit-above 10kb/s: Sets the bandwidth threshold
  • --hashlimit-burst 5: Allows temporary bursts
  • --hashlimit-mode srcip: Ensures limiting by source IP

For a more comprehensive solution that handles both HTTP and FTP traffic:

# Create a new chain for rate limiting
iptables -N RATE_LIMIT

# Add the specific IP rule
iptables -A RATE_LIMIT -s 192.168.1.100 -m hashlimit \
--hashlimit-name john_downloads \
--hashlimit-above 10kb/s \
--hashlimit-burst 5 \
--hashlimit-mode srcip \
-j DROP

# Apply to HTTP and FTP traffic
iptables -A INPUT -p tcp --dport 80 -j RATE_LIMIT
iptables -A INPUT -p tcp --dport 21 -j RATE_LIMIT

To view current rate limiting statistics:

cat /proc/net/ipt_hashlimit/john_downloads

Remember to make your rules persistent across reboots using iptables-save and your distribution's method for preserving firewall rules.