Apologies for top posting. I fear you will either have to work with cacti bandwidth alerts, figuring out how to grab the client IP and push it into iptables; find another way to get the client IP out of cacti and into iptables; or look into the QoS capabilities within Linux. On 08/18/2011 03:01 PM, Rudi Ahlers wrote: > Let's try again: > > > I need to automatically block any user who abuses bandwidth, either > incoming or outgoing. I should be able to set the limits, in either > rate/s or usage/s: 1Mb/s or 10GB/h, for example. > > Then, any users, connecting from anywhere, on any IP should be blocked > - either if he uploads or downloads (i.e ingres & outgres) for a > specific amount of time. > > > My research: > > The firewalls which we've tried (both normal Linux iptables and > hardware based firewalls) can do this, as long as I can specify the > IP's to block - this is standard for an office-type firewall. > BUT, I don't have a range of IP's to specify since these particular > servers are on the internet, thus any possible IP on the net could > connect to the server. > > > I also need to exclude certain IP's from this rule (i.e. for backup > servers which actually need to transfer a lot of traffic). > > To some degree this would mean "traffic accounting", but that just > keeps a log of traffic usage. And we already measure traffic use with > cacti & SNMP. Cacti can send us an email if a certain amount of > bandwidth is used up, but it doesn't tell the firewall to block the > offending IP address. > > DDOS protection type firewalls doesn't help much either since they > only block incoming "attacks", but not really normal uploads. They > also don't block outgoing traffic once the condition is met. > -- -- John Jasen (jjasen at realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring