nftables: limit connection rate to hostname

Idlusen · 2022-08-12 14:18:08

Hi, I just researched how to achieve rate limiting at system-level, found nftables (which I didn’t know beforehand, only heard of iptables without using it either), and came up with this configuration:

table ip filter {
	chain output {
		type filter hook output priority filter; policy accept;
		ip daddr 216.58.198.206 ct state new limit rate 20/minute drop
	}
}

The hostname I’m trying to rate-limit to is youtube.com. I tried issuing curl requests in a loop and that seems to work.
I would like to know whether it is possible to dynamically adjust the IP filtered, I could make a loop of "nft replace rule … youtube.com …" but maybe there is a cleaner way.

amish · 2022-08-12 16:13:44

Use sets and add/delete IP from the set.

https://wiki.nftables.org/wiki-nftables … Named_sets

Idlusen · 2022-08-12 16:46:42

Thanks I didn’t think of that, but that still requires monitoring to which IP youtube.com is resolved at a given time.

Last edited by Idlusen (2022-08-12 18:49:58)

amish · 2022-08-13 06:44:54

Better way to do what you are doing is to use squid proxy. Blocking based on IP is not reliable.

Last edited by amish (2022-08-13 08:34:44)

Idlusen · 2022-08-13 09:46:29

I’ll look into that.

Arch Linux

#1 2022-08-12 14:18:08

nftables: limit connection rate to hostname

#2 2022-08-12 16:13:44

Re: nftables: limit connection rate to hostname

#3 2022-08-12 16:46:42

Re: nftables: limit connection rate to hostname

#4 2022-08-13 06:44:54

Re: nftables: limit connection rate to hostname

#5 2022-08-13 09:46:29

Re: nftables: limit connection rate to hostname

Board footer