1 #! /bin/sh -x 2 # 3 # sample script on using the ingress capabilities 4 # this script shows how one can rate limit incoming SYNs 5 # Useful for TCP-SYN attack protection. You can use 6 # IPchains to have more powerful additions to the SYN (eg 7 # in addition the subnet) 8 # 9 #path to various utilities; 10 #change to reflect yours. 11 # 12 IPROUTE=/root/DS-6-beta/iproute2-990530-dsing 13 TC=$IPROUTE/tc/tc 14 IP=$IPROUTE/ip/ip 15 IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains 16 INDEV=eth2 17 # 18 # tag all incoming SYN packets through $INDEV as mark value 1 19 ############################################################ 20 $IPCHAINS -A input -i $INDEV -y -m 1 21 ############################################################ 22 # 23 # install the ingress qdisc on the ingress interface 24 ############################################################ 25 $TC qdisc add dev $INDEV handle ffff: ingress 26 ############################################################ 27 28 # 29 # 30 # SYN packets are 40 bytes (320 bits) so three SYNs equals 31 # 960 bits (approximately 1kbit); so we rate limit below 32 # the incoming SYNs to 3/sec (not very sueful really; but 33 #serves to show the point - JHS 34 ############################################################ 35 $TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \ 36 police rate 1kbit burst 40 mtu 9k drop flowid :1 37 ############################################################ 38 39 40 # 41 echo "---- qdisc parameters Ingress ----------" 42 $TC qdisc ls dev $INDEV 43 echo "---- Class parameters Ingress ----------" 44 $TC class ls dev $INDEV 45 echo "---- filter parameters Ingress ----------" 46 $TC filter ls dev $INDEV parent ffff: 47 48 #deleting the ingress qdisc 49 #$TC qdisc del $INDEV ingress 50
