Apologies for top posting.
I fear you will either have to work with cacti bandwidth alerts, figuring out how to grab the client IP and push it into iptables; find another way to get the client IP out of cacti and into iptables; or look into the QoS capabilities within Linux.
On 08/18/2011 03:01 PM, Rudi Ahlers wrote:
Let's try again:
I need to automatically block any user who abuses bandwidth, either incoming or outgoing. I should be able to set the limits, in either rate/s or usage/s: 1Mb/s or 10GB/h, for example.
Then, any users, connecting from anywhere, on any IP should be blocked
- either if he uploads or downloads (i.e ingres & outgres) for a
specific amount of time.
My research:
The firewalls which we've tried (both normal Linux iptables and hardware based firewalls) can do this, as long as I can specify the IP's to block - this is standard for an office-type firewall. BUT, I don't have a range of IP's to specify since these particular servers are on the internet, thus any possible IP on the net could connect to the server.
I also need to exclude certain IP's from this rule (i.e. for backup servers which actually need to transfer a lot of traffic).
To some degree this would mean "traffic accounting", but that just keeps a log of traffic usage. And we already measure traffic use with cacti & SNMP. Cacti can send us an email if a certain amount of bandwidth is used up, but it doesn't tell the firewall to block the offending IP address.
DDOS protection type firewalls doesn't help much either since they only block incoming "attacks", but not really normal uploads. They also don't block outgoing traffic once the condition is met.