home *** CD-ROM | disk | FTP | other *** search
- #! /bin/sh -x
- #
- # sample script on using the ingress capabilities
- # this script shows how one can rate limit incoming SYNs
- # Useful for TCP-SYN attack protection. You can use
- # IPchains to have more powerful additions to the SYN (eg
- # in addition the subnet)
- #
- #path to various utilities;
- #change to reflect yours.
- #
- IPROUTE=/root/DS-6-beta/iproute2-990530-dsing
- TC=$IPROUTE/tc/tc
- IP=$IPROUTE/ip/ip
- IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains
- INDEV=eth2
- #
- # tag all incoming SYN packets through $INDEV as mark value 1
- ############################################################
- $IPCHAINS -A input -i $INDEV -y -m 1
- ############################################################
- #
- # install the ingress qdisc on the ingress interface
- ############################################################
- $TC qdisc add dev $INDEV handle ffff: ingress
- ############################################################
-
- #
- #
- # SYN packets are 40 bytes (320 bits) so three SYNs equals
- # 960 bits (approximately 1kbit); so we rate limit below
- # the incoming SYNs to 3/sec (not very sueful really; but
- #serves to show the point - JHS
- ############################################################
- $TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \
- police rate 1kbit burst 40 mtu 9k drop flowid :1
- ############################################################
-
-
- #
- echo "---- qdisc parameters Ingress ----------"
- $TC qdisc ls dev $INDEV
- echo "---- Class parameters Ingress ----------"
- $TC class ls dev $INDEV
- echo "---- filter parameters Ingress ----------"
- $TC filter ls dev $INDEV parent ffff:
-
- #deleting the ingress qdisc
- #$TC qdisc del $INDEV ingress
-
