1#! /bin/sh -x 2# 3# sample script on using the ingress capabilities 4# this script shows how one can rate limit incoming SYNs 5# Useful for TCP-SYN attack protection. You can use 6# IPchains to have more powerful additions to the SYN (eg 7# in addition the subnet) 8# 9#path to various utilities; 10#change to reflect yours. 11# 12IPROUTE=/root/DS-6-beta/iproute2-990530-dsing 13TC=$IPROUTE/tc/tc 14IP=$IPROUTE/ip/ip 15IPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains 16INDEV=eth2 17# 18# tag all incoming SYN packets through $INDEV as mark value 1 19############################################################ 20$IPCHAINS -A input -i $INDEV -y -m 1 21############################################################ 22# 23# install the ingress qdisc on the ingress interface 24############################################################ 25$TC qdisc add dev $INDEV handle ffff: ingress 26############################################################ 27 28# 29# 30# SYN packets are 40 bytes (320 bits) so three SYNs equals 31# 960 bits (approximately 1kbit); so we rate limit below 32# the incoming SYNs to 3/sec (not very sueful really; but 33#serves to show the point - JHS 34############################################################ 35$TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \ 36police rate 1kbit burst 40 mtu 9k drop flowid :1 37############################################################ 38 39 40# 41echo "---- qdisc parameters Ingress ----------" 42$TC qdisc ls dev $INDEV 43echo "---- Class parameters Ingress ----------" 44$TC class ls dev $INDEV 45echo "---- filter parameters Ingress ----------" 46$TC filter ls dev $INDEV parent ffff: 47 48#deleting the ingress qdisc 49#$TC qdisc del $INDEV ingress 50