IPtables Traffic Quota - up and down

I've been trying to set up traffic quotas for users on a shared server and i believe [with my limited knowledge] that iptables --quota and ports which have been selected for each user [--dport] is the way to do this...

iptables -A OUTPUT --dport 1,2,3,4... --quota 123412341234 -j ACCEPT
iptables -A OUTPUT --dport 1,2,3,4... -j DROP

I think something like this would work to limit the traffic [and reset every month] but its only for traffic going out.

Is there something I could do to combine -A OUTPUT and -A INPUT into one quota?
Or, is there a different method I could use to achieve the same thing more efficiently?

OS is debian squeeze

Thanks.

Solution 1:

If you want to apply quota to both incoming and outgoing, you'd do it like this:

-A OUTPUT -p tcp --sport $PORTNUM_1 -g filter_quota_1
-A OUTPUT -p tcp --sport $PORTNUM_2 -g filter_quota_2
<other OUTPUT rules for other users>
-A INPUT  -p tcp --dport $PORTNUM_1 -g filter_quota_1
-A INPUT  -p tcp --dport $PORTNUM_2 -g filter_quota_2
<other INPUT rules>
-A filter_quota_1 -m quota --quota $QUOTA_1 -g chain_where_quota_not_reached
-A filter_quota_1 -g chain_where_quota_is_reached
-A filter_quota_2 -m quota --quota $QUOTA_2 -g chain_where_quota_not_reached
-A filter_quota_2 -g chain_where_quota_is_reached
<other filter_quota_N chains>

When you want to reset quota #N, you'd do iptables -F filter_quota_N and then re-populate filter_quota_N.

Since the rules are mostly similar, you really should consider automation with bash (or other scripting language of your choice)

IPtables Traffic Quota - up and down

Solution 1:

Related

Recent Posts