Limiting NTP traffic

If then this page might be for you. Here are the scripts I use to limit the bandwidth usage of my two NTP servers to < 4 TB (more specifically, my ISP's limit is 4000 MB, not 4096 MB). Adjust appropriately. No warranties. No support. These scripts are not particularly pretty or well-polished, but I'm publishing them in case they are useful for someone.
 
These scripts implement automatic throttling. If throttling is activated, the firewall will drop requests from the NTP Pool monitoring server's netblocks while still serving traffic from other clients. This will cause the server's score to drop below 10 and you will be kicked out of the pool. Once the estimate for the monthly traffic decreases below the throttle limit, the firewall is adjusted again so that probes from the monitoring will get through, and your server will get back in the pool in a few hours.
 
Some of these scripts are run as a normal user, and the script that adjusts the firewall is run as root. These scripts use vnstat for estimating the bandwidth usage. For CentOS users, vnstat is available from the EPEL repository. Other distro users will need to find it elsewhere. vnstat must be configured and started. Remember to set it to start at boot as well.
 
throttle-4tb.sh, run as normal user:
#!/bin/sh
TX1=$( vnstat -m | grep estimated | tail -1 | cut -d\| -f2 | grep TiB )
if [ -z "$TX1" ]
then
	TX1=1
fi
TX2=$( echo $TX1 | sed 's/[^0-9]//g' )

if [ $TX2 -ge 385 ] # 3.85 TiB or 3942 MB
then
	if [ ! -r /tmp/throttle-ntpd.txt ]
	then
		echo -n "on  " >> /home/user/bin/throttle.txt
		date >> /home/user/bin/throttle.txt
		touch /tmp/throttle-ntpd.txt
	fi
else
	if [ -r /tmp/throttle-ntpd.txt ]
	then
		echo -n "off " >> /home/user/bin/throttle.txt
		date >> /home/user/bin/throttle.txt
		rm -f /tmp/throttle-ntpd.txt
	fi
fi
crontab entry (for user):
1,6,11,16,21,26,31,36,41,46,51,56 * * * * sh /home/user/bin/throttle-4tb.sh
throttle-ntpd.sh, run as root:
#!/bin/sh
if [ -r /tmp/throttle-ntpd.txt ] && ! /sbin/iptables -L UDP_IN -n -v | grep -q throttle
then
	# note that there's no guarantee that these netblocks will not change
	/sbin/iptables -I UDP_IN -p udp --dport 123 -s 207.171.3.0/24 -j DROP -m comment --comment "pool monitoring throttled"
	/sbin/iptables -I UDP_IN -p udp --dport 123 -s 207.171.7.0/24 -j DROP -m comment --comment "pool monitoring throttled"
else
	if [ ! -r /tmp/throttle-ntpd.txt ] && /sbin/iptables -L UDP_IN -n -v | grep -q throttle
	then
		# note that there's no guarantee that these netblocks will not change
		/sbin/iptables -D UDP_IN -p udp --dport 123 -s 207.171.3.0/24 -j DROP -m comment --comment "pool monitoring throttled"
		/sbin/iptables -D UDP_IN -p udp --dport 123 -s 207.171.7.0/24 -j DROP -m comment --comment "pool monitoring throttled"
	fi
fi
crontab entry (for root):
2,7,12,17,22,27,32,37,42,47,52,57 * * * * sh /root/bin/throttle-ntpd.sh
 
This setup also requires that you have an UDP_IN chain in your iptables config. It's up to you to arrange that, but generally, it's a matter of iptables -N UDP_IN and iptables -A INPUT -p udp -g UDP_IN.
 
Hope this helps!