Nat and packet limits with iptables

ahmerin · July 22, 2013, 4:16am

Hi all,

I have a following situation:

I want certain source IPs to be natted to a different destination IP and Port. Following is how I am achieving it:

/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12
  --dport 1500 -j DNAT --to-destination 192.168.10.20:2000

Above runs on 192.168.10.12 and is working perfectly fine.

Now, I want that if there are more than, say 20 packets per minute from source IP then further packets should be dropped.

Above is what I am having difficulty to achieve.

I have done the following but is not working:

/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12 
  --dport 1500 -m limit --limit 20/m --limit-burst 5 -j DNAT --to-destination 192.168.10.20:2000

/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12
  --dport 1500 -j LOG --log-level 4 --log-prefix "192.168.10.12 Packet Limit exceeded: "

/usr/local/sbin/iptables -A INPUT -p tcp -s 192.168.10.12 --dport 1500 -j DROP

Can someone help me get the correct statement or confirm whether I can achieve the above requirement through IP tables.

Many thanks for your help.

Regards
Ahmerin

---------- Post updated at 08:16 AM ---------- Previous update was at 06:44 AM ----------

Sorry... My mistake... the following IPtables command runs perfectly fine on the server where source actualy goes to first. It is not running on 192.168.10.12:

/usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12
  --dport 1500 -j DNAT --to-destination 192.168.10.20:2000

DGPickett · July 24, 2013, 1:52pm

Seems possible:
Man Page for iptables (all Section 8) - The UNIX and Linux Forums

   limit
       This  module  matches at a limited rate using a token bucket filter.  A
       rule using this extension  will	match  until  this  limit  is  reached
       (unless	the `!' flag is used).	It can be used in combination with the
       LOG target to give limited logging, for example.

       --limit rate[/second|/minute|/hour|/day]
	      Maximum average matching rate: specified as a  number,  with  an
	      optional	`/second',  `/minute',	`/hour', or `/day' suffix; the
	      default is 3/hour.

ahmerin · July 25, 2013, 7:26am

Thanks DGPickett for your input.

My issue is how to use limit with NAT packets? My above IPtable command is not working...

DGPickett · July 25, 2013, 3:03pm

I suppose you need to use the right address, pre or post-NAT, not sure which, but if post-NAT, the NAT pool for that network needs to be distinct. I would expect IPtables to do NAT after filtering, but maybe it is up to you to order the rules right.

This option may only work on a filtering rule, not on a NAT rule, again not sure.