2007-06-08, 04:52 PM
(This post was last modified: 2010-08-05, 08:01 AM by Dungeon-Dave.)
Well, I thought I would step into the realm of iptables again. This little tutorial will show you how to setup the quota patch for iptables.
The quota patch allows you to well... set a quota, when the quota is match or exceeds the number of bytes, you can perform a certain action.
The first step to this guide is to download the iptables source code from netfilter's website (www.netfilter.org) and you will also need the patch-o-matic-ng.
Once you have downloaded both files you will need to get the kernel source, this can be done by simply issuing the following:
Code:
yum -y install kernel-devel
Once you have the kernel source installed you can begin unpacking the iptables source file and the path-o-matic-ng file using the tar utility as shown below.
Code:
tar jxf iptables-1.3.7.tar.bz2
tar jxf patch-o-matic-ng-20040621.tar.bz2
Once you have successfully extracted both iptables and path-o-matic you can begin with installing the quota patch as shown below.
Code:
cd patch-o-matic-ng
IPTABLES_DIR=/usr/src/iptables-1.3.7 KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686 ./runme quota
You will want to replace the iptables source code path with the one that suites your machine and also the kernel directory.
Once this command has been issued you maybe given an error saying it couldn't apply the patch, you can ignore this.
Once you have applied the patch you will need to recompile the iptables source code, this can be done by simply issuing the following:
Code:
cd iptables-1.3.7
make BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686
make install BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686
make clean BINDIR=/sbin LIBDIR=/lib KERNEL_DIR=/usr/src/kernels/2.6.21-1.3194.fc7-i686
Thats it you now have successfully applied the quota patch :).
Now lets try out our new iptables module :)issue the following to check that the quota module is loaded and can be used:
Code:
modprobe ipt_quota
Now that ipt_quota is loaded a simple rule as follows can be used to block web traffic that exceeds 100 bytes.
Code:
iptables -A OUTPUT -p tcp --dport 80 -m quota --quota 1024 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j DROP
What the above rule does is count down from 1MB (1024 kilobytes is a Megabyte) and when the quota hits zero the second rule will kick in which drops all the traffic.
To prove this issue the above two commands and then view the details in OUTPUT chain by issuing
Code:
iptables -L OUTPUT -v
This will produce similar output to:
Quote:Chain OUTPUT (policy ACCEPT 3640 packets, 1753K bytes) pkts bytes target prot opt in out source destination
1 40 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http quota: 984 bytes
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:http
Notice the quota for HTTP, now if you open your web browser and visit www.linux-noob.com you should be able to view the front page
once or at least start to transfer traffic before you will be cut off.
If you issue the command iptables -L OUTPUT -v again you will notice that the quota should of or has almost hit 0 which is when the second rule
kicks in as shown below.
Quote:Chain OUTPUT (policy ACCEPT 3814 packets, 1773K bytes) pkts bytes target prot opt in out source destination
8 996 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http quota: 0 bytes
9 504 DROP tcp -- any any anywhere anywhere tcp dpt:http
Well I hope you enjoyed this little guide :)and be sure I'll have more on iptables soon :)