|
Packit |
d3f73b |
#! /bin/sh -x
|
|
Packit |
d3f73b |
#
|
|
Packit |
d3f73b |
# sample script on using the ingress capabilities
|
|
Packit |
d3f73b |
# this script shows how one can rate limit incoming SYNs
|
|
Packit |
d3f73b |
# Useful for TCP-SYN attack protection. You can use
|
|
Packit |
d3f73b |
# IPchains to have more powerful additions to the SYN (eg
|
|
Packit |
d3f73b |
# in addition the subnet)
|
|
Packit |
d3f73b |
#
|
|
Packit |
d3f73b |
#path to various utilities;
|
|
Packit |
d3f73b |
#change to reflect yours.
|
|
Packit |
d3f73b |
#
|
|
Packit |
d3f73b |
IPROUTE=/root/DS-6-beta/iproute2-990530-dsing
|
|
Packit |
d3f73b |
TC=$IPROUTE/tc/tc
|
|
Packit |
d3f73b |
IP=$IPROUTE/ip/ip
|
|
Packit |
d3f73b |
IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains
|
|
Packit |
d3f73b |
INDEV=eth2
|
|
Packit |
d3f73b |
#
|
|
Packit |
d3f73b |
# tag all incoming SYN packets through $INDEV as mark value 1
|
|
Packit |
d3f73b |
############################################################
|
|
Packit |
d3f73b |
$IPCHAINS -A input -i $INDEV -y -m 1
|
|
Packit |
d3f73b |
############################################################
|
|
Packit |
d3f73b |
#
|
|
Packit |
d3f73b |
# install the ingress qdisc on the ingress interface
|
|
Packit |
d3f73b |
############################################################
|
|
Packit |
d3f73b |
$TC qdisc add dev $INDEV handle ffff: ingress
|
|
Packit |
d3f73b |
############################################################
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
#
|
|
Packit |
d3f73b |
#
|
|
Packit |
d3f73b |
# SYN packets are 40 bytes (320 bits) so three SYNs equals
|
|
Packit |
d3f73b |
# 960 bits (approximately 1kbit); so we rate limit below
|
|
Packit |
d3f73b |
# the incoming SYNs to 3/sec (not very sueful really; but
|
|
Packit |
d3f73b |
#serves to show the point - JHS
|
|
Packit |
d3f73b |
############################################################
|
|
Packit |
d3f73b |
$TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \
|
|
Packit |
d3f73b |
police rate 1kbit burst 40 mtu 9k drop flowid :1
|
|
Packit |
d3f73b |
############################################################
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
#
|
|
Packit |
d3f73b |
echo "---- qdisc parameters Ingress ----------"
|
|
Packit |
d3f73b |
$TC qdisc ls dev $INDEV
|
|
Packit |
d3f73b |
echo "---- Class parameters Ingress ----------"
|
|
Packit |
d3f73b |
$TC class ls dev $INDEV
|
|
Packit |
d3f73b |
echo "---- filter parameters Ingress ----------"
|
|
Packit |
d3f73b |
$TC filter ls dev $INDEV parent ffff:
|
|
Packit |
d3f73b |
|
|
Packit |
d3f73b |
#deleting the ingress qdisc
|
|
Packit |
d3f73b |
#$TC qdisc del $INDEV ingress
|