Chinaunix首页 | 论坛 | 博客
  • 博客访问: 474987
  • 博文数量: 132
  • 博客积分: 2995
  • 博客等级: 少校
  • 技术积分: 1412
  • 用 户 组: 普通用户
  • 注册时间: 2007-03-06 20:14
文章分类

全部博文(132)

文章存档

2010年(2)

2008年(21)

2007年(109)

我的朋友

分类:

2007-03-27 10:36:20

流量带宽限制法方:
在CENTOS 4.4上更新IPROUT软件包
YUM install iproute
手工加载SCH_CBQ
modprobe  SCH_CBQ
添在到配置文件中使服务器启动时自动加载
/sbin/modprobe SCH_CBQ
以ROOT身份执行以下命令
tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 100Mbit
tc class add dev eth0 parent 1: classid 1:1 cbq rate 32kbit allot 1500  prio 5 bounded
tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 10.15.3.129/32 flowid 1:1
tc qdisc add dev eth0 parent 1:1 sfq perturb 10

相关资料:

 Limiting outgoing bandwidth

We can limit VE outgoing bandwidth by setting the tc filter on eth0.

DEV=eth0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10

X.X.X.X is an IP address of VE.

Limiting incoming bandwidth

This can be done by setting the tc filter on venet0:

DEV=venet0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10

Note that X.X.X.X is an IP address of VE.

 Limiting VE to HN talks

As you can see, two filters above don't limit to talks. I mean a can emit as much traffic as it wishes. To make such a limitation from the , it is necessary to use tc police on venet0:

DEV=venet0
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1

Limiting packets per second rate from VE

To prevent dos atacks from the VE you can limit packets per second rate using iptables.

DEV=eth0
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP

Here X.X.X.X is an IP address of VE

 External links

阅读(5785) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~