I am using nat DNAT to forward traffic on a certain port to another Centos server over a GRE tunnel however I want to rate limit a bunch of datacenter IPs I have in a ipset list 'blacklist'. So that the traffic outputted to the tunnel is rate limited.
I have tried rate limiting in all FORWARD, INPUT and OUTPUT lists however the rate limit does not work at all in any of them - maybe the nat DNAT bypasses it?.
iptables -A INPUT -m set --match-set blacklist src -p udp --dport 30000 -m hashlimit --hashlimit 10/min --hashlimit-name ratelimithash -j DROP
iptables -A FORWARD -m set --match-set blacklist src -p udp --dport 30000 -m hashlimit --hashlimit 10/min --hashlimit-name ratelimithash -j DROP
iptables -A OUTPUT -m set --match-set blacklist src -p udp --dport 30000 -m hashlimit --hashlimit 10/min --hashlimit-name ratelimithash -j DROP
If I add the list to drop via 'iptables -A OUTPUT -m set --match-set blacklist src -j DROP' it stops all traffic, so my IP ipset list is working just not the rate limiting, anyone able to help out?
iptables output:
iptables NAT output:
iptables rules
#!/bin/sh
iptables -F
sudo iptables -t nat -F
iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -t raw -F
sudo iptables -t raw -X
sudo iptables -t security -F
sudo iptables -t security -X
sudo iptables -F
sudo iptables -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -m set --match-set blacklist src -p udp --dport 30000 -m hashlimit --hashlimit 10/min --hashlimit-name ratelimithash -j DROP
iptables -A FORWARD -m set --match-set blacklist src -p udp --dport 30000 -m hashlimit --hashlimit 10/min --hashlimit-name ratelimithash -j DROP
iptables -A OUTPUT -m set --match-set blacklist src -p udp --dport 30000 -m hashlimit --hashlimit 10/min --hashlimit-name ratelimithash -j DROP
iptables -t nat -A POSTROUTING -s 192.168.168.0/30 ! -o gre+ -j SNAT --to-source 20&&&&&&&&&&&&
iptables -A INPUT -s 192.168.168.2/32 -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT
iptables -t nat -A PREROUTING -d 20&&&&&&&&&&&& -p udp --dport 30000 -j DNAT --to-destination 192.168.168.2
iptables -A OUTPUT -j DROP
iptables -P INPUT DROP
It seems this was the better rule - stops the traffic before going over the GRE tunnel over the limit
-hashlimit-srcmask 24 - to group the incoming traffic into /24 groups