Rate Limiting to Escape Attacks
Posted: Tue Apr 28, 2015 7:15 pm
I MUST rate limit my Virtuozzo containers. Too many exploits at the moment running up my bill. I came across this but I am 1. afraid to try it and 2. Is it put into a script for rc.local perhaps? PLEASE help me understand how to rate limit to 5mbit. Please?
I really like to learn this. I want to rate limit at 5Mb/s. Would this be a start-up script in rc.local?
Code: Select all
Limiting outgoing bandwidth
We can limit container outgoing bandwidth by setting the tc filter on eth0.
DEV=eth0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip src X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10
X.X.X.X is an IP address of container.
Limiting incoming bandwidth
This can be done by setting the tc filter on venet0:
DEV=venet0
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: cbq avpkt 1000 bandwidth 100mbit
tc class add dev $DEV parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated
tc filter add dev $DEV parent 1: protocol ip prio 16 u32 match ip dst X.X.X.X flowid 1:1
tc qdisc add dev $DEV parent 1:1 sfq perturb 10
Note that X.X.X.X is an IP address of container.