centos tc 带宽限制
时间:2014-07-10 22:48 来源:linux.it.net.cn 作者:IT网
流量带宽限制法方:
在CENTOS 4.4上更新IPROUT软件包
YUM install iproute
手工加载SCH_CBQ
modprobe SCH_CBQ
添在到配置文件中使服务器启动时自动加载
/sbin/modprobe SCH_CBQ
以ROOT身份执行以下命令
tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 100Mbit
tc class add dev eth0 parent 1: classid 1:1 cbq rate 32kbit allot 1500 prio 5 bounded
tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 10.15.3.129/32 flowid 1:1
tc qdisc add dev eth0 parent 1:1 sfq perturb 10
相关资料:
Limiting outgoing bandwidth
We can limit VE outgoing bandwidth by setting the tc filter on eth0.
DEV=eth0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10
X.X.X.X is an IP address of VE.
Limiting incoming bandwidth
This can be done by setting the tc filter on venet0:
DEV=venet0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10
Note that X.X.X.X is an IP address of VE.
Limiting VE to HN talks
As you can see, two filters above don't limit VE to HN talks. I mean a VE can emit as much traffic as it wishes. To make such a limitation from the HN, it is necessary to use tc police on venet0:
DEV=venet0
tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1
Limiting packets per second rate from VE
To prevent dos atacks from the VE you can limit packets per second rate using iptables.
DEV=eth0
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP
Here X.X.X.X is an IP address of VE
External links
(责任编辑:IT)
流量带宽限制法方:
在CENTOS 4.4上更新IPROUT软件包
YUM install iproute
手工加载SCH_CBQ modprobe SCH_CBQ 添在到配置文件中使服务器启动时自动加载 /sbin/modprobe SCH_CBQ
以ROOT身份执行以下命令
tc qdisc del dev eth0 root tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 100Mbit tc class add dev eth0 parent 1: classid 1:1 cbq rate 32kbit allot 1500 prio 5 bounded tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 10.15.3.129/32 flowid 1:1 tc qdisc add dev eth0 parent 1:1 sfq perturb 10 相关资料: Limiting outgoing bandwidthWe can limit VE outgoing bandwidth by setting the tc filter on eth0. DEV=eth0 tc qdisc del dev $DEV root tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1 tc qdisc add dev $DEV parent 1:1 sfq perturb 10 X.X.X.X is an IP address of VE. Limiting incoming bandwidthThis can be done by setting the tc filter on venet0: DEV=venet0 tc qdisc del dev $DEV root tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1 tc qdisc add dev $DEV parent 1:1 sfq perturb 10 Note that X.X.X.X is an IP address of VE. Limiting VE to HN talksAs you can see, two filters above don't limit VE to HN talks. I mean a VE can emit as much traffic as it wishes. To make such a limitation from the HN, it is necessary to use tc police on venet0: DEV=venet0 tc filter add dev $DEV parent 1: protocol ip prio 20 u32 match u32 1 0x0000 police rate 2kbit buffer 10k drop flowid :1 Limiting packets per second rate from VETo prevent dos atacks from the VE you can limit packets per second rate using iptables. DEV=eth0 iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP Here X.X.X.X is an IP address of VE External links(责任编辑:IT) |