CentOS - Aug 2011 - which firewall to automatically block bandwidth abusers?

Hi,

I'm looking for a firewall (preferably on Linux / UNIX) that could
automatically block bandwidth abusers as soon as a connection goes
over a certain speed, or limit - i.e. either more than say 3Mb/s or
10GB in a giving period (like weekly / monthly).

But, I need it to block the IP to, or where the traffic comes from, or
goes to. i.e. a user logs into a web server and upload a LOT of data,
then the firewall should block him, but not other people.

Or, someone uploads a small bit of data but downloads a lot of data
and then get's blocked.
But I need to set thresholds
And I should be able to exclude certain IP's / domains from the limits.

Does this make sense?

Can this be done with iptables? If so, how?

If not, what else could I use for this?


A normal DDOS prevention firewall doesn't really work since it only
blocks traffic coming in. But I need to limit traffic going out as
well.

The servers behind the firewall will serve mail, http, ftp, sql and SSH

-- 
Kind Regards
Rudi Ahlers
SoftDux

Website: http://www.SoftDux.com
Technical Blog: http://Blog.SoftDux.com
Office: 087 805 9573
Cell: 082 554 7532

On Wed, 2011-08-17 at 21:50 +0200, Rudi Ahlers wrote:
> Hi,
> 
> I'm looking for a firewall (preferably on Linux / UNIX) that could
> automatically block bandwidth abusers as soon as a connection goes
> over a certain speed, or limit - i.e. either more than say 3Mb/s or
> 10GB in a giving period (like weekly / monthly).
> 
> But, I need it to block the IP to, or where the traffic comes from, or
> goes to. i.e. a user logs into a web server and upload a LOT of data,
> then the firewall should block him, but not other people.
> 
> Or, someone uploads a small bit of data but downloads a lot of data
> and then get's blocked.
> But I need to set thresholds
> And I should be able to exclude certain IP's / domains from the limits.
> 
> Does this make sense?
> 
> Can this be done with iptables? If so, how?
> 
> If not, what else could I use for this?
> 
> 
> A normal DDOS prevention firewall doesn't really work since it only
> blocks traffic coming in. But I need to limit traffic going out as
> well.
> 
> The servers behind the firewall will serve mail, http, ftp, sql and SSH
----
http://tinyurl.com/3n5yn8u

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

On Aug 17, 2011, at 3:50 PM, Rudi Ahlers <Rudi at SoftDux.com> wrote:
> Hi,
> 
> I'm looking for a firewall (preferably on Linux / UNIX) that could
> automatically block bandwidth abusers as soon as a connection goes
> over a certain speed, or limit - i.e. either more than say 3Mb/s or
> 10GB in a giving period (like weekly / monthly).
> 
> But, I need it to block the IP to, or where the traffic comes from, or
> goes to. i.e. a user logs into a web server and upload a LOT of data,
> then the firewall should block him, but not other people.
> 
> Or, someone uploads a small bit of data but downloads a lot of data
> and then get's blocked.
> But I need to set thresholds
> And I should be able to exclude certain IP's / domains from the limits.
> 
> Does this make sense?
> 
> Can this be done with iptables? If so, how?
> 
> If not, what else could I use for this?
> 
> 
> A normal DDOS prevention firewall doesn't really work since it only
> blocks traffic coming in. But I need to limit traffic going out as
> well.
> 
> The servers behind the firewall will serve mail, http, ftp, sql and SSH

Best approach, throttle, you can cause the throttle to increase as the overage
increases until it reaches dial-up speed. With some cleverness you can back the
throttle out after a period of idle-ness.

-Ross

On 08/17/11 12:50 PM, Rudi Ahlers wrote:
> A normal DDOS prevention firewall doesn't really work since it only
> blocks traffic coming in. But I need to limit traffic going out as
> well.
>
> The servers behind the firewall will serve mail, http, ftp, sql and SSH
without requests coming in, no web etc traffic can go out.

you want to block your own mail server from sending too much mail to a 
single host?    and block an internet mail server from sending "too 
much" mail to you?   thats not going to end well.

SQL?  what are you doing letting a SQL server be publically 
accessible?   SQL servers should only be accessed by application servers 
over secure connections.

I think as it stands, this is a very poorly thought out idea with much 
room for gotchas and problems.



-- 
john r pierce                            N 37, W 122
santa cruz ca                         mid-left coast