Implementing Rate Limiting with iptables hashlimit Module

iptables processes each packet independently and is inherently stateless, so implementing a stateful rate‑limit requires the hashlimit module.

The complete set of commands to create a rate‑limiting chain is:

iptables --new-chain SOCAT-RATE-LIMIT
iptables --append SOCAT-RATE-LIMIT \
    --match hashlimit \
    --hashlimit-mode srcip \
    --hashlimit-upto 50/sec \
    --hashlimit-burst 100 \
    --hashlimit-name conn_rate_limit \
    --jump ACCEPT
iptables --append SOCAT-RATE-LIMIT --jump DROP
iptables -I INPUT -p tcp --dport 1234 --jump SOCAT-RATE-LIMIT

The first line creates a new chain for rate limiting. The second line accepts packets that are within the defined limit; packets exceeding the limit are sent to the third line, which drops them. Finally, the new chain is inserted into the INPUT chain to protect the specified port.

The rate‑limit algorithm is controlled by two parameters: --hashlimit-upto defines the maximum number of packets allowed per second (e.g., 50/sec means one packet every 20 ms). --hashlimit-burst provides an initial credit allowing a burst of packets (e.g., 20 packets can be sent instantly).

Each source IP starts with a burst credit; each incoming packet consumes one credit. When the credit is exhausted, further packets are dropped until credits are replenished at the rate specified by --hashlimit‑upto, up to the burst limit.

For example, with --hashlimit-upto 50/sec --hashlimit-burst 20, an IP sending packets at a steady 1 ms interval will have the first 20 packets accepted (burst credit). After the burst is used, one additional packet is accepted every 20 ms, resulting in a total of 70 packets accepted before dropping resumes.

The effect of the rate limit is clearly visible in the accompanying traffic graph.