1aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#! /bin/sh -x
2aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#
3aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# sample script on using the ingress capabilities
4aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# this script shows how one can rate limit incoming SYNs
5aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# Useful for TCP-SYN attack protection. You can use
6aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# IPchains to have more powerful additions to the SYN (eg 
7aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# in addition the subnet)
8aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#
9aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#path to various utilities;
10aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#change to reflect yours.
11aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#
12aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIPROUTE=/root/DS-6-beta/iproute2-990530-dsing
13aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerTC=$IPROUTE/tc/tc
14aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIP=$IPROUTE/ip/ip
15aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerIPCHAINS=/root/DS-6-beta/ipchains-1.3.9/ipchains
16aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerINDEV=eth2
17aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#
18aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# tag all incoming SYN packets through $INDEV as mark value 1
19aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger############################################################ 
20aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger$IPCHAINS -A input -i $INDEV -y -m 1
21aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger############################################################ 
22aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#
23aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# install the ingress qdisc on the ingress interface
24aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger############################################################ 
25aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger$TC qdisc add dev $INDEV handle ffff: ingress
26aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger############################################################ 
27aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger
28aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#
29aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# 
30aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# SYN packets are 40 bytes (320 bits) so three SYNs equals
31aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# 960 bits (approximately 1kbit); so we rate limit below
32aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger# the incoming SYNs to 3/sec (not very sueful really; but
33aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#serves to show the point - JHS
34aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger############################################################ 
35aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger$TC filter add dev $INDEV parent ffff: protocol ip prio 50 handle 1 fw \
36aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerpolice rate 1kbit burst 40 mtu 9k drop flowid :1
37aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger############################################################ 
38aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger
39aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger
40aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#
41aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerecho "---- qdisc parameters Ingress  ----------"
42aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger$TC qdisc ls dev $INDEV
43aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerecho "---- Class parameters Ingress  ----------"
44aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger$TC class ls dev $INDEV
45aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemmingerecho "---- filter parameters Ingress ----------"
46aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger$TC filter ls dev $INDEV parent ffff:
47aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger
48aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#deleting the ingress qdisc
49aba5acdfdb347d2c21fc67d613d83d4430ca3937osdl.org!shemminger#$TC qdisc del $INDEV ingress
50