]>
git.proxmox.com Git - mirror_iproute2.git/blob - examples/SYN-DoS.rate.limit
3 # sample script on using the ingress capabilities
4 # this script shows how one can rate limit incoming SYNs
5 # Useful for TCP-SYN attack protection. You can use
6 # IPchains to have more powerful additions to the SYN (eg
7 # in addition the subnet)
9 #path to various utilities;
10 #change to reflect yours.
12 IPROUTE
=/root
/DS-6-beta
/iproute2-990530-dsing
15 IPCHAINS
=/root
/DS-6-beta
/ipchains-1.3
.9/ipchains
18 # tag all incoming SYN packets through $INDEV as mark value 1
19 ############################################################
20 $IPCHAINS -A input
-i $INDEV -y -m 1
21 ############################################################
23 # install the ingress qdisc on the ingress interface
24 ############################################################
25 $TC qdisc add dev
$INDEV handle ffff
: ingress
26 ############################################################
30 # SYN packets are 40 bytes (320 bits) so three SYNs equals
31 # 960 bits (approximately 1kbit); so we rate limit below
32 # the incoming SYNs to 3/sec (not very sueful really; but
33 #serves to show the point - JHS
34 ############################################################
35 $TC filter add dev
$INDEV parent ffff
: protocol ip prio
50 handle
1 fw \
36 police rate
1kbit burst
40 mtu
9k drop flowid
:1
37 ############################################################
41 echo "---- qdisc parameters Ingress ----------"
42 $TC qdisc
ls dev
$INDEV
43 echo "---- Class parameters Ingress ----------"
44 $TC class
ls dev
$INDEV
45 echo "---- filter parameters Ingress ----------"
46 $TC filter
ls dev
$INDEV parent ffff
:
48 #deleting the ingress qdisc
49 #$TC qdisc del $INDEV ingress