I've got iptables working on Centos 7, using version v1.4.21 but also tested on v1.6.0 (mind you I didn't rebuild the kernel since it says I no longer need to for the extensions).
I set up a quota and it gets used:
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
pkts bytes target prot opt in out source destination
3639 3999378 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 4000000 bytes
142 175468 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
#
Then as I add any other rule to this chain, the existing rule "resets" the bytes usage and uses up the quota again:
# iptables -I 192.168.2.5 -m quota --quota 1000 -j ACCEPT
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
pkts bytes target prot opt in out source destination
2 168 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 1000 bytes
7239 7998334 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 4000000 bytes
890 387931 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Even when not exceeded, this behavior always adds the quota amount to the rule, even though I am affecting a different rule:
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
pkts bytes target prot opt in out source destination
379 67755 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 4000000 bytes
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
# iptables -I 192.168.2.5 -m quota --quota 1000 -j ACCEPT
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
pkts bytes target prot opt in out source destination
2 168 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 1000 bytes
379 67755 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 4000000 bytes
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
# iptables -nvx -L 192.168.2.5
Chain 192.168.2.5 (2 references)
pkts bytes target prot opt in out source destination
11 924 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 1000 bytes
4159 4066453 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 quota: 4000000 bytes
315 190056 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
This seems to be a bug, and perhaps related to this one.
Any ideas? My one workaround is to capture the bytes myself and add them to the quota of the new rule. That works well when it's already exceeded, but if not, I might miss out bytes due to the gap between reading, calculating, deleting and adding.
Reading the other question you linked and testing, I can only conclude that the quota module isn't very useful: resets whenever something changes.
That's surely why there's an other module called quota2! It's not part of iptables, but of xtables-addons. In Debian it's available and compiled at intallation with xtables-addons-dkms. I think you will have to compile it yourself in CentOS7.
Three excerpts from the man page (can be found here:xtables-addons.8)
.
The quota appears in /proc/net/xt_quota/name and is read/write
That means some logic outside of iptables itself must be used (for example saving remaining quotas and restoring at boot if you had to reboot the server), but this would surely solve your problems.