Posted: Mon Nov 23, 2020 4:30 Post subject: Using iptables to limit packets...
I am trying to setup a remote link over a crappy connection. Sadly, my connection is rock-solid. However, my router is an XR500 running DD-WRT (DumaOS is horrible, but I'd run DD anyway) and that means that I have iptables. Trying to do a basic limit fails.
Code:
iptables -A FORWARD -s 1.2.3.4 -p udp -m limit --limit 1/s -j DROP
Tried it on INPUT, OUTPUT, and FORWARD. I setup a simple game server which uses UDP and used a helpers static IP address, but it does not limit him. No packet-loss if he plays the game and connects.
Am I limiting it incorrectly here? _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
Try changing the rule to insert (-I) rather than append (-A). dd-wrt uses a default policy of ACCEPT for all its chains, ending w/ a DROP, making appending a rule problematic.
Should my default be ACCEPT then? I tried both and still no go. _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!
I wasn't commenting on the effectiveness (or ineffectiveness) of the rule itself, as much as its incorrect placement. When added to the end of the table, it ends up after an unconditional DROP rule, meaning it will never be reached!
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * vlan2 0.0.0.0/0 10.0.0.0/8 state NEW
0 0 DROP all -- * vlan2 0.0.0.0/0 172.16.0.0/12 state NEW
0 0 DROP all -- * vlan2 0.0.0.0/0 192.168.0.0/16 state NEW
0 0 ACCEPT all -- vlan2 * 192.168.61.0/24 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 upnp all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 lan2wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * vlan2 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 DROP udp -- * vlan2 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
0 0 DROP udp -- * vlan2 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 TRIGGER all -- vlan2 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER all -- vlan2 eth0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 eth1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 eth2 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth2 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 vlan1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- vlan1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- vlan1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP udp -- * * 1.2.3.4 0.0.0.0/0 limit: avg 1/sec burst 5
Oh I see. Alright, then I must be doing it wrong. The thing is that rule works on an actual Linux box. Does DD-WRT not have the limit stuff? _________________ Cicero: Stab you, stab you, stab you!
Psycho: I think he wants to play xylophone with my spinal cord!