分类:
2007-03-27 10:36:20
We can limit VE outgoing bandwidth by setting the tc filter on eth0.
DEV=eth0 tc qdisc del dev $DEV root tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1 tc qdisc add dev $DEV parent 1:1 sfq perturb 10
X.X.X.X is an IP address of VE.
This can be done by setting the tc
filter on venet0
:
DEV=venet0 tc qdisc del dev $DEV root tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1 tc qdisc add dev $DEV parent 1:1 sfq perturb 10
Note that X.X.X.X
is an IP address of VE.
As you can see, two filters above don't limit to talks. I mean a can emit as much traffic as it wishes. To make such a limitation from the , it is necessary to use tc police on venet0:
DEV=venet0 tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1
To prevent dos atacks from the VE you can limit packets per second rate using iptables.
DEV=eth0 iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP
Here X.X.X.X
is an IP address of VE