分类: LINUX
脚本1:
限制会话数
#!/bin/sh
INET=192.168.0.
IPS=1
IPE=253
IDEV=eth1
ODEV=eth0
COUNTER=$IPS
while [ $COUNTER -lt $IPE ]
do
iptables -A FORWARD -i $IDEV -s $INET$COUNTER -m iplimit --iplimit-above 2 -j REJECT
COUNTER=` expr $COUNTER + 1 `
done
限制穿透本机FORWARD链的192.168.0.0/24的每个IP并发连接数不超过2个,超过的被拒绝
脚本2:
针对每个ip限制带宽
#!/bin/bash
tc qdisc del dev eth0 root 2>/dev/null
tc qdisc del dev eth0 ingress 2>/dev/null
tc qdisc del dev eth1 root 2>/dev/null
tc qdisc del dev eth1 ingress 2>/dev/null
DOWNLOAD=128Kbit
UPLOAD=128Kbit
INET=192.168.0.
IPS=1
IPE=253
IDEV=eth1
ODEV=eth0
tc qdisc add dev eth1 root handle 10: cbq bandwidth 100Mbit avpkt 1000
tc qdisc add dev eth0 root handle 20: cbq bandwidth 100Mbit avpkt 1000
tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 100Mbit rate 100Mbit allot 1514 weight 1Mbit prio 8 maxburst 20 avpkt 1000
tc class add dev eth0 parent 20:0 classid 20:1 cbq bandwidth 100Mbit rate 100Mbit allot 1514 weight 1024Kbit prio 8 maxburst 20 avpkt 1000
COUNTER=$IPS
while [ $COUNTER -le $IPE ]
do
tc class add dev $IDEV parent 10:1 classid 10:1$COUNTER cbq bandwidth 100Mbit rate $DOWNLOAD allot 1514 weight 20Kbit prio 5 maxburst 20 avpkt 1000 bounded
tc qdisc add dev $IDEV parent 10:1$COUNTER sfq quantum 1514b perturb 15
tc filter add dev $IDEV parent 10:0 protocol ip prio 100 u32 match ip dst $INET$COUNTER flowid 10:1$COUNTER
COUNTER=` expr $COUNTER + 1 `
done
COUNTER=$IPS
while [ $COUNTER -le $IPE ]
do
tc class add dev $ODEV parent 20:1 classid 20:1$COUNTER cbq bandwidth 1Mbit rate $UPLOAD allot 1514 weight 4Kbit prio 5 maxburst 20 avpkt 1000 bounded
tc qdisc add dev $ODEV parent 20:1$COUNTER sfq quantum 1514b perturb 15
tc filter add dev $ODEV parent 20:0 protocol ip prio 100 handle $COUNTER fw classid 20:1$COUNTER
COUNTER=` expr $COUNTER + 1 `
done
COUNTER=$IPS
while [ $COUNTER -lt $IPE ]
do
iptables -t mangle -A PREROUTING -i $IDEV -s $INET$COUNTER -j MARK --set-mark $COUNTER
COUNTER=` expr $COUNTER + 1 `
done
---------------------------------------
限制会话数
#!/bin/sh
INET=192.168.0.
IPS=1
IPE=253
IDEV=eth1
ODEV=eth0
COUNTER=$IPS
while [ $COUNTER -lt $IPE ]
do
iptables -A FORWARD -i $IDEV -s $INET$COUNTER -m iplimit --iplimit-above 2 -j REJECT
COUNTER=` expr $COUNTER + 1 `
done
限制穿透本机FORWARD链的192.168.0.0/24的每个IP并发连接数不超过2个,超过的被拒绝
脚本2:
针对每个ip限制带宽
#!/bin/bash
tc qdisc del dev eth0 root 2>/dev/null
tc qdisc del dev eth0 ingress 2>/dev/null
tc qdisc del dev eth1 root 2>/dev/null
tc qdisc del dev eth1 ingress 2>/dev/null
DOWNLOAD=128Kbit
UPLOAD=128Kbit
INET=192.168.0.
IPS=1
IPE=253
IDEV=eth1
ODEV=eth0
tc qdisc add dev eth1 root handle 10: cbq bandwidth 100Mbit avpkt 1000
tc qdisc add dev eth0 root handle 20: cbq bandwidth 100Mbit avpkt 1000
tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 100Mbit rate 100Mbit allot 1514 weight 1Mbit prio 8 maxburst 20 avpkt 1000
tc class add dev eth0 parent 20:0 classid 20:1 cbq bandwidth 100Mbit rate 100Mbit allot 1514 weight 1024Kbit prio 8 maxburst 20 avpkt 1000
COUNTER=$IPS
while [ $COUNTER -le $IPE ]
do
tc class add dev $IDEV parent 10:1 classid 10:1$COUNTER cbq bandwidth 100Mbit rate $DOWNLOAD allot 1514 weight 20Kbit prio 5 maxburst 20 avpkt 1000 bounded
tc qdisc add dev $IDEV parent 10:1$COUNTER sfq quantum 1514b perturb 15
tc filter add dev $IDEV parent 10:0 protocol ip prio 100 u32 match ip dst $INET$COUNTER flowid 10:1$COUNTER
COUNTER=` expr $COUNTER + 1 `
done
COUNTER=$IPS
while [ $COUNTER -le $IPE ]
do
tc class add dev $ODEV parent 20:1 classid 20:1$COUNTER cbq bandwidth 1Mbit rate $UPLOAD allot 1514 weight 4Kbit prio 5 maxburst 20 avpkt 1000 bounded
tc qdisc add dev $ODEV parent 20:1$COUNTER sfq quantum 1514b perturb 15
tc filter add dev $ODEV parent 20:0 protocol ip prio 100 handle $COUNTER fw classid 20:1$COUNTER
COUNTER=` expr $COUNTER + 1 `
done
COUNTER=$IPS
while [ $COUNTER -lt $IPE ]
do
iptables -t mangle -A PREROUTING -i $IDEV -s $INET$COUNTER -j MARK --set-mark $COUNTER
COUNTER=` expr $COUNTER + 1 `
done
---------------------------------------
总体思想很简单,为每个IP 打标,然后归入各自的tc 限速规则中去。
#!/bin/sh # xiaoh www.linuxbyte.org # 定义进出设备(eth0 内网,eth1外网) IDEV="eth0" ODEV="eth1" # 定义总的上下带宽 UP="50mbit" DOWN="50mbit" # 定义每个受限制的IP上下带宽 #rate 起始带宽 UPLOAD="4mbit" DOWNLOAD="5mbit" #ceil 最大带宽 MUPLOAD="5mbit" MDOWNLOAD="10mbit" #内网IP段 INET="192.168.0." # 受限IP范围,IPS 起始IP,IPE 结束IP。 IPS="1" IPE="114" # 清除网卡原有队列规则 tc qdisc del dev $ODEV root 2>/dev/null tc qdisc del dev $IDEV root 2>/dev/null # 定义最顶层(根)队列规则,并指定 default 类别编号 tc qdisc add dev $ODEV root handle 10: htb default 256 tc qdisc add dev $IDEV root handle 10: htb default 256 # 定义第一层的 10:1 类别 (上行/下行 总带宽) tc class add dev $ODEV parent 10: classid 10:1 htb rate $UP ceil $UP tc class add dev $IDEV parent 10: classid 10:1 htb rate $DOWN ceil $DOWN #开始iptables 打标和设置具体规则 i=$IPS; while [ $i -le $IPE ] do tc class add dev $ODEV parent 10:1 classid 10:2$i htb rate $UPLOAD ceil $MUPLOAD prio 1 tc qdisc add dev $ODEV parent 10:2$i handle 100$i: pfifo tc filter add dev $ODEV parent 10: protocol ip prio 100 handle 2$i fw classid 10:2$i tc class add dev $IDEV parent 10:1 classid 10:2$i htb rate $DOWNLOAD ceil $MDOWNLOAD prio 1 tc qdisc add dev $IDEV parent 10:2$i handle 100$i: pfifo tc filter add dev $IDEV parent 10: protocol ip prio 100 handle 2$i fw classid 10:2$i iptables -t mangle -A PREROUTING -s $INET$i -j MARK --set-mark 2$i iptables -t mangle -A PREROUTING -s $INET$i -j RETURN iptables -t mangle -A POSTROUTING -d $INET$i -j MARK --set-mark 2$i iptables -t mangle -A POSTROUTING -d $INET$i -j RETURN i=`expr $i + 1` done
-----------------
之前的Iptables+tc 网吧每IP 限速脚本一文中有一个问题需要补充,如果同时使用squid 做透明代理会使该脚本失效。
做透明代理时有一条iptables规则
iptables -A PREROUTING -s 192.168.0.0/24 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
这一规则把所有内网80端口的请求都转发到了网关,如此一来所有向外网的普通http 请求者都成了网关(192.168.0.254),而网关是不做限速的,所以所有http下载都不被限速了。
所以为了能现在http下载,我们要使用squid 的限速功能,配置命令如下:
acl LIMIT_IP src 192.168.0.0/25 delay_pools 1 delay_class 1 2 delay_access 1 allow LIMIT_IP delay_parameters 1 -1/-1 500000/500000
squid 的限速控制不是很精确限速500000 bytes/sec 的浮动在4xx/KB 到8XX/KB 之间 -__-!