nostream icon indicating copy to clipboard operation
nostream copied to clipboard

Published 20 hours ago verified publisher icon cameri

docs: explain how to do IP rate limiting using iptables

Open cameri opened this issue 2 years ago • 1 comments

Is your feature request related to a problem? Please describe. Add documentation on how to set up IP rate limiting using iptables Ref: https://making.pusher.com/per-ip-rate-limiting-with-iptables/

Describe the solution you'd like A new markdown document that users can follow if they want to implement IP rate-limiting at the OS level.

Describe alternatives you've considered Nostream can rate-limit events, messages (and soon new connections) but the overhead of doing rate-limiting at the application level is too great since the overhead is high.

Additional context None

cameri avatar Jan 08 '23 15:01 cameri

This is a little stream of consciousness, but rate limiting applies to two separate concerns:

  • the rate of packets
  • the throughput of data traversing the network (often incorrectly described as "bandwidth")

Another consideration is ingress vs egress traffic. I tend to care more about ingress regarding packets, and egress regarding throughput.

I'm currently limiting packet rates with nginx. The nice side effect is that I can just watch error.log to see if clients are getting limited. This policy rarely goes off, and when it I've seen it triggered, the client was definitely mis-behaving:

limit_req_zone $binary_remote_addr zone=nostr:10m rate=3r/s;
server {
    ...
    limit_req zone=nostr burst=10 nodelay;

I dabbled with limiting throughput per client by ip address with nginx, but since clients make many connections rather than just one, it's basically useless. Using iptables to limit network throughput makes a lot more sense. I don't have that implemented on my relay yet, but I'm considering it. I dug up a rule I wrote for an old project. Here's what that might look like with nostr:

*filter
# create a chain for relay clients
:NOSTR ACCEPT [0:0]
# apply our limit to egress traffic
-A OUTPUT -m tcp -p tcp --sport 443 -j NOSTR
# create the policy
-A NOSTR -m hashlimit --hashlimit-above 1mb/s  --hashlimit-burst 1mb  --hashlimit-mode dstip --hashlimit-name nostream --hashlimit-htable-expire 3600000 -j DROP

I'm little short on time but iirc it's basically:

  • the expiration is in msec so that's one hour.
  • I'd limit egress because limiting ingress traffic is kinda futile anyway
  • I want to say that I wrote the policy so that it doesn't slow traffic down until it reaches a threshold but I don't recall so I'll have to look it up again later to verify

bleetube avatar Jan 09 '23 18:01 bleetube