How can I limit data download with PREROUTING on iptables?

Question

I have 2 servers, called A and B. All (tcp/udp) traffic will be redirected (via SNAT) from A to B (except SSH).

The clients will be connected to A. However, the response will return from B. This is okay. It works thanks to SNAT.

However, I'd like to limit data usage per ip. Let's say, the client can download maximum 10MB.

There is an iptables module, called quota. The quota module works on INPUT chain on iptables. However, SNAT works on PREROUITING chain.

PREROUITING works before INPUT chain. Therefore, I can't limit the data usage on the A server.

How can I limit data usage on the A server per ip?

You are probably using `DNAT` not `SNAT`: source NAT changes the source address, you change the destination. Did you try adding the rule to the `FORWARD` table? — Piotr P. Karwasz, Dec 17 '19 at 00:18

score 0 · Answer 1 · answered Dec 16 '19 at 17:59

0

Use the FORWARD chain and the filter table.

answered Dec 16 '19 at 17:59

Stefano Martins

3

Answers should contain detail, and examples where possible. Please expand your answer with some instructions for exactly how to use the `FORWARD` chain. – fukawi2 Dec 18 '19 at 06:34

1 Answers1