From: xchaos Date: Mon, 18 Nov 2013 01:08:54 +0000 (+0000) Subject: simple iptables based packet limiter to deflect DoS attacks on our clients X-Git-Url: http://git.harvie.cz/?p=svn%2FPrometheus-QoS%2F.git;a=commitdiff_plain;h=c38473c17cd984140f177ccb2000089e10444299 simple iptables based packet limiter to deflect DoS attacks on our clients git-svn-id: https://dev.arachne.cz/repos/prometheus/trunk@232 251d49ef-1d17-4917-a970-b30cf55b089b --- diff --git a/ipstruct.h b/ipstruct.h index 4f1d9aa..72bf976 100644 --- a/ipstruct.h +++ b/ipstruct.h @@ -13,6 +13,7 @@ struct IP int fixedprio; int group; int lmsid; + int pps_limit; unsigned long long direct; unsigned long long proxy; unsigned long long upload; diff --git a/parsehosts.c b/parsehosts.c index ac9b39f..5014ffb 100644 --- a/parsehosts.c +++ b/parsehosts.c @@ -40,6 +40,7 @@ void TheIP(char *ipaddr, int is_network) ip->direct = \ ip->traffic = \ ip->pktsup = \ + ip->pps_limit = \ ip->pktsdown = 0; ip->keyword = keywords; ip->v6 = (strchr(ip->addr,':')!=NULL); @@ -252,12 +253,14 @@ void parse_hosts(char *hosts) else { ip->max -= ip->keyword->reserve_max; - if(ip->maxmin) + if(ip->max < ip->min) { - ip->max=ip->min; + ip->max = ip->min; } } - + + /* MTU is 1450 bytes = 11600 bits ~= 12 kbit, max is in kb/s */ + ip->pps_limit = ip->max/12; ip->mark = FIRSTIPCLASS+1+class_count++; update_network(ip->addr, ip); diff --git a/prometheus.c b/prometheus.c index 3dfcc1a..c88857b 100644 --- a/prometheus.c +++ b/prometheus.c @@ -7,7 +7,7 @@ /* Credit: CZFree.Net,Martin Devera,Netdave,Aquarius,Gandalf */ /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */ -/* Modified by: xChaos, 20131029 +/* Modified by: xChaos, 20131118 ludva, 20080415 Prometheus QoS is free software; you can redistribute it and/or @@ -29,7 +29,7 @@ #include "cll1-0.6.2.h" #include "ipstruct.h" -const char *version = "0.8.3-i"; +const char *version = "0.8.3-j"; /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */ /* Versions: 0.8.3 is development release, 0.8.4 will be "stable" */ @@ -118,10 +118,6 @@ int magic_treshold = 8; /* reduce ceil by X*magic_treshhold kbps (hard shapi int keywordcount = 0; int class_count = 0; int ip_count = 0; -/* not yet implemented: -int fixed_packets = 0; maximum number of pps per IP address (not class!) -int packet_limit = 5; maximum number of pps to htn CEIL, not rate !!! -*/ FILE *log_file = NULL; char *kwd = "via-prometheus"; /* /etc/hosts comment, eg. #qos-64-128 */ @@ -469,7 +465,7 @@ program int i=0; /* just plain old Fortran style integer :-) */ FILE *f=NULL; /* everything is just stream of bytes... */ char *str, *ptr, *d; /* LET A$=B$ :-) */ - char *substring; + char *substring, *limit_pkts; int parent = 1; int just_networks = FALSE; @@ -563,7 +559,8 @@ Credit: CZFree.Net, Martin Devera, Netdave, Aquarius, Gandalf\n\n",version); /*-----------------------------------------------------------------*/ /* cll1.h - let's allocate brand new character buffer... */ /*-----------------------------------------------------------------*/ - string(str,STRLEN); + string(str, STRLEN); + string(limit_pkts, STRLEN); /*-----------------------------------------------------------------*/ printf("Parsing class defintion file %s ...\n", hosts); @@ -586,6 +583,7 @@ Credit: CZFree.Net, Martin Devera, Netdave, Aquarius, Gandalf\n\n",version); ip->traffic = 0; ip->mark = sharedip->mark; ip->lmsid = sharedip->lmsid; + ip->pps_limit = sharedip->pps_limit; /* no other way to do this */ break; } if(not sharedip) @@ -1136,19 +1134,24 @@ Credit: CZFree.Net, Martin Devera, Netdave, Aquarius, Gandalf\n\n",version); /* -------------------------------------------------------- mark download */ sprintf(str, "-A %s -d %s/%d -o %s -j %s%d", - chain_postrouting, ip->addr, 32*(1+ip->v6), lan, mark_iptables, ip->mark); + chain_postrouting, ip->addr, 32*(1+ip->v6), + lan, mark_iptables, ip->mark); /* -m limit --limit 1/s */ iptables_save_line(str, ip->v6); if(qos_proxy) { sprintf(str, "-A %s -s %s -p tcp --sport %d -d %s/%d -o %s -j %s%d", - chain_postrouting, proxy_ip, proxy_port, ip->addr, 32*(1+ip->v6), lan, mark_iptables, ip->mark); + chain_postrouting, proxy_ip, proxy_port, ip->addr, + 32*(1+ip->v6), lan, mark_iptables, ip->mark); iptables_save_line(str, ip->v6); } - sprintf(str, "-A %s -d %s/%d -o %s -j ACCEPT", - chain_postrouting, ip->addr, 32*(1+ip->v6), lan); + /* this will be optional in future - hardcoded for now*/ + sprintf(limit_pkts,"-m limit --limit %d/s ", ip->pps_limit); + + sprintf(str, "-A %s -d %s/%d -o %s %s-j ACCEPT", + chain_postrouting, ip->addr, 32*(1+ip->v6), lan, limit_pkts); iptables_save_line(str, ip->v6); /* -------------------------------------------------------- mark upload */ @@ -1156,8 +1159,8 @@ Credit: CZFree.Net, Martin Devera, Netdave, Aquarius, Gandalf\n\n",version); chain_forward, ip->addr, 32*(1+ip->v6), wan, mark_iptables, ip->mark); iptables_save_line(str, ip->v6); - sprintf(str, "-A %s -s %s/%d -o %s -j ACCEPT", - chain_forward, ip->addr, 32*(1+ip->v6), wan); + sprintf(str, "-A %s -s %s/%d -o %s %s-j ACCEPT", + chain_forward, ip->addr, 32*(1+ip->v6), wan, limit_pkts); iptables_save_line(str, ip->v6); if(ip->min) @@ -1168,7 +1171,7 @@ Credit: CZFree.Net, Martin Devera, Netdave, Aquarius, Gandalf\n\n",version); #endif sprintf(str, "%s class add dev %s parent 1:%d classid 1:%d htb rate %dkbit ceil %dkbit burst %dk prio %d", - tc, lan, ip->group, ip->mark,ip->min,ip->max, burst, ip->prio); + tc, lan, ip->group, ip->mark, ip->min, ip->max, burst, ip->prio); safe_run(str); if(strcmpi(ip->keyword->leaf_discipline, "none"))