BestHub
Sign in
Operations 6 min read

Enforcing Per‑IP Rate Limiting on a TCP Port with iptables

This guide explains how to protect a shared development TCP port—used as a sidecar proxy for a Unix Domain Socket—by applying per‑IP rate limiting with iptables' hashlimit module, including full command examples, parameter details, and practical calculations.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Enforcing Per‑IP Rate Limiting on a TCP Port with iptables

In a multi‑tenant development environment a sidecar service communicates with the main application via a Unix Domain Socket (UDS). To simplify testing, developers map the UDS to a TCP port using socat, allowing everyone to connect without running a separate sidecar instance.

Because all developers share the same port, occasional stress testing can saturate the service and affect others. To prevent this, a per‑IP rate limit is applied directly on the TCP port using the Per‑IP rate limiting with iptables technique.

iptables is stateless, so a stateful rate‑limit rule requires the hashlimit module. (The original article also mentioned conntrack for limiting only new connections, but it is not needed for packet‑level limiting.)

Full iptables commands

$ iptables --new-chain SOCAT-RATE-LIMIT
$ iptables --append SOCAT-RATE-LIMIT \
    --match hashlimit \
    --hashlimit-mode srcip \
    --hashlimit-upto 50/sec \
    --hashlimit-burst 100 \
    --hashlimit-name conn_rate_limit \
    --jump ACCEPT
$ iptables --append SOCAT-RATE-LIMIT --jump DROP
$ iptables -I INPUT -p tcp --dport 1234 --jump SOCAT-RATE-LIMIT

The first line creates a new chain named SOCAT-RATE-LIMIT. The second line accepts packets that are within the defined limit; packets exceeding the limit fall through to the third line, which drops them. The final line inserts the chain into the INPUT chain for the specific port (e.g., 1234).

Two key parameters control the algorithm: --hashlimit-upto defines the maximum number of packets allowed per second per source IP (e.g., 50/sec means one packet every 20 ms). --hashlimit-burst provides an initial credit allowing a burst of packets (e.g., 20 packets) before the steady‑state rate applies.

Each IP starts with a credit equal to the burst value. Every accepted packet consumes one credit. Credits are replenished at the upto rate until the burst limit is reached again. If the credit pool is exhausted, further packets are dropped.

Example: with --hashlimit-upto 50/sec --hashlimit-burst 20, an IP sending one packet every millisecond will have the first 20 packets accepted (burst credit). After that, a new credit is added every 20 ms, so the IP can accept one packet per 20 ms, resulting in 70 accepted packets before the limit is reached.

The effect of the rate limit is clearly visible in the following screenshot:

Reference

Per‑IP rate limiting with iptables: https://making.pusher.com/per-ip-rate-limiting-with-iptables/index.html

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

network securityiptablessocat
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment