|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
#利用iptables limit模块限速
#
#!/bin/bash
#SPEED=`/bin/bash /etc/zabbix/script/flow.sh |cut -d '.' -f1`
SPEED=`
/bin/bash
/root/flow
.sh |
cut
-d
'.'
-f1`
[ -z $SPEED ]&& SPEED=1
EXIST=`iptables -n -
v
-L |
grep
CC-FLOW|
wc
-l`
if
[ $SPEED -gt 1250 ];
then
IP=`
netstat
-antup|
grep
ESTABLISHED|
awk
'{print $5}'
|
grep
-o
"\([0-9]\{1,3\}\.\)\{1,3\}[0-9]\{1,3\}"
|
sort
-rn |
uniq
-c|
awk
'{print $2}'
`
#awk截取客户端字段、sort 和uniq是防止ip重复
if
[ $EXIST -
eq
0 ];
then
iptables -N CC-FLOW
#创建自定义链CC-FLOW
iptables -A OUTPUT -j CC-FLOW
#把OUTPUT规则引到CC-FLOW
fi
for
i
in
$IP
do
x=`iptables -n -
v
-L |
grep
$i|
wc
-l`
if
[ $x -
ne
0 ];
then
continue
fi
iptables -A CC-FLOW -d $i -m limit --limit 150
/s
-j ACCEPT
#限制$i下载输入为每秒150个包,一个包一般是1540字节左右,所以速度大概在200kbyte
iptables -A CC-FLOW -d $i -j DROP
#超过的drop
done
else
if
[ $EXIST -
ne
0 ] && [ $SPEED -lt 500 ];
then
iptables -F CC-FLOW
#清空cc-flow的规则
iptables -D OUTPUT -j CC-FLOW
#清空cc-flow与output的链接,否则删除不了链接
iptables -X CC-FLOW
#删除cc-flow链
fi
fi
|
flow.sh计算流量脚本:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
#!/bin/bash
old_inbw=`
cat
/proc/net/dev
|
grep
eth0 |
awk
-F
'[: ]+'
'{print $3}'
`
old_outbw=`
cat
/proc/net/dev
|
grep
eth0 |
awk
-F
'[: ]+'
'{print $11}'
`
sleep
5
new_inbw=`
cat
/proc/net/dev
|
grep
eth0 |
awk
-F
'[: ]+'
'{print $3}'
`
new_outbw=`
cat
/proc/net/dev
|
grep
eth0 |
awk
-F
'[: ]+'
'{print $11}'
`
inbw=$[ $new_inbw - $old_inbw ]
outbw=$[ $new_outbw - $old_outbw ]
# echo "eth0: IN:$inbw bytes OUT:$outbw bytes"
IN=`
echo
"scale=2;$inbw/5/1024"
|
bc
|
awk
'{printf "%.2f\n", $0}'
`
OUT=`
echo
"scale=2;$outbw/5/1024"
|
bc
|
awk
'{printf "%.2f\n", $0}'
`
echo
"$IN+$OUT"
|
bc
old_inbw=${new_inbw}
old_outbw=${new_outbw}
var0=$[$var0 + 1]
|
=============================================================
利用ipset 和ss优化后的脚本:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
#!/bin/bash
export
PATH=
/usr/local/sbin
:
/usr/local/bin
:
/sbin
:
/bin
:
/usr/sbin
:
/usr/bin
:
/root/bin
IPSET=limitip
IPSET1=dropip
SPEED=`
/bin/bash
/etc/zabbix/script/flow
.sh |
cut
-d
'.'
-f1`
[ -z $SPEED ]&& SPEED=1
EXIST=`iptables -n -
v
-L |
grep
$IPSET|
wc
-l`
EXIST1=`iptables -n -
v
-L |
grep
$IPSET1|
wc
-l`
if
[ $SPEED -gt 1250 ];
then
IPDROP=`ss -n|
grep
":80 "
|
awk
'{print $5}'
|
grep
-
v
"*"
|
grep
-
v
":80$"
|
grep
-
v
'127.0.0'
|
grep
-o
"\([0-9]\{1,3\}\.\)\{1,3\}[0-9]\{1,3\}"
|
sort
-rn |
uniq
-c|
awk
'{if ($1>80) print $2}'
|
sed
's/\.[0-9]*$/\.0\/24/g'
|
sort
-rn |
uniq
-c|
awk
'{print $2}'
|
egrep
-
v
-f
/home/tongbu/conf/nodeip
.txt`
IPLIMIT=`ss -n|
grep
":80 "
|
awk
'{print $5}'
|
grep
-
v
"*"
|
grep
-
v
":80$"
|
grep
-
v
'127.0.0'
|
grep
-o
"\([0-9]\{1,3\}\.\)\{1,3\}[0-9]\{1,3\}"
|
sort
-rn |
uniq
-c|
awk
'{if ($1<81) print $2}'
|
sed
's/\.[0-9]*$/\.0\/24/g'
|
sort
-rn |
uniq
-c|
awk
'{print $2}'
|
egrep
-
v
-f
/home/tongbu/conf/nodeip
.txt`
if
[ `ipset list |
grep
"Name"
|
grep
"\<$IPSET\>"
|
wc
-l` -
eq
0 ];
then
ipset create $IPSET
hash
:net maxelem 10000
fi
if
[ `ipset list |
grep
"Name"
|
grep
"\<$IPSET1\>"
|
wc
-l` -
eq
0 ];
then
ipset create $IPSET1
hash
:net maxelem 10000
fi
if
[ $EXIST -
eq
0 ];
then
iptables -I INPUT -m
set
--match-
set
$IPSET src -j DROP
iptables -I INPUT -m
set
--match-
set
$IPSET src -m limit --limit 200
/s
-j ACCEPT
iptables -I OUTPUT -m
set
--match-
set
$IPSET dst -j DROP
iptables -I OUTPUT -m
set
--match-
set
$IPSET dst -m limit --limit 200
/s
-j ACCEPT
iptables -I INPUT -m
set
--match-
set
$IPSET1 src -j DROP
fi
for
i
in
$IPLIMIT
do
x=`ipset list |
grep
$i|
wc
-l`
if
[ $x -
ne
0 ];
then
continue
fi
ipset add $IPSET $i
done
for
i
in
$IPDROP
do
x=`ipset list |
grep
$i|
wc
-l`
if
[ $x -
ne
0 ];
then
continue
fi
ipset add $IPSET1 $i
done
else
if
[ $EXIST -
ne
0 ] && [ $SPEED -lt 500 ]|| [ $EXIST1 -
ne
0 ] ;
then
NUMIN1=`
/etc/init
.d
/iptables
status|
sed
-n
'/INPUT/,/OUTPUT/p'
|
grep
$IPSET |
awk
'{print $1}'
|
head
-1`
iptables -D INPUT $NUMIN1
NUMOUT1=`
/etc/init
.d
/iptables
status|
sed
-n
'/OUTPUT/,$p'
|
grep
$IPSET |
awk
'{print $1}'
|
head
-1`
iptables -D OUTPUT $NUMOUT1
NUMIN2=`
/etc/init
.d
/iptables
status|
sed
-n
'/INPUT/,/OUTPUT/p'
|
grep
$IPSET |
awk
'{print $1}'
|
head
-1`
iptables -D INPUT $NUMIN2
NUMOUT2=`
/etc/init
.d
/iptables
status|
sed
-n
'/OUTPUT/,$p'
|
grep
$IPSET |
awk
'{print $1}'
|
head
-1`
iptables -D OUTPUT $NUMOUT2
NUMIN3=`
/etc/init
.d
/iptables
status|
sed
-n
'/INPUT/,/OUTPUT/p'
|
grep
$IPSET1 |
awk
'{print $1}'
|
head
-1`
iptables -D INPUT $NUMIN3
ipset destroy $IPSET
ipset destroy $IPSET1
fi
fi
|
改用tc限速和只限制发包大的ip的脚本:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
#!/bin/bash
export
PATH=
/usr/local/sbin
:
/usr/local/bin
:
/sbin
:
/bin
:
/usr/sbin
:
/usr/bin
:
/root/bin
IPSET=limitip
IPSET1=dropip
SPEED=`
/bin/bash
/etc/zabbix/script/flow
.sh |
cut
-d
'.'
-f1`
DEV=`
grep
'NIC='
/etc/zabbix/script/flow
.sh |
cut
-d
'='
-f2`
IP=`
grep
'IP='
/etc/log
.sh |
cut
-d
'='
-f2`
[ -z $SPEED ]&& SPEED= 1
EXIST=`iptables -n -
v
-L -t mangle|
grep
$IPSET|
wc
-l`
EXIST1=`iptables -n -
v
-L |
grep
$IPSET1|
wc
-l`
if
[ $SPEED -gt 1250 ];
then
IPDROP=`ss -n|
grep
":80 "
|
awk
'{print $5}'
|
grep
-
v
"*"
|
grep
-
v
":80$"
|
grep
-
v
'127.0.0'
|
grep
-o
"\([0-9]\{1,3\}\.\)\{1,3\}[0-9]\{1,3\}"
|
sort
-rn |
uniq
-c|
awk
'{if ($1>80) print $2}'
|
egrep
-
v
-f
/home/tongbu/conf/nodeip
.txt`
IPLIMIT=`ss -tn|
awk
'NR>1{if ($3 > 4000) print $5}'
|
cut
-d: -f1|
sort
-rn|
uniq
-c|
awk
'{print $2}'
|
egrep
-
v
-f
/home/tongbu/conf/nodeip
.txt`
if
[ `ipset list |
grep
"Name"
|
grep
"\<$IPSET\>"
|
wc
-l` -
eq
0 ];
then
ipset create $IPSET
hash
:net maxelem 1000000
fi
if
[ `ipset list |
grep
"Name"
|
grep
"\<$IPSET1\>"
|
wc
-l` -
eq
0 ];
then
ipset create $IPSET1
hash
:net maxelem 1000000
fi
if
[ $EXIST -
eq
0 ];
then
flow_max=`mysql -h 218.32.211.9 -ucomlesu -pcqhd@b -e
"use comlesu; select flow_max from lc_node where ip='$IP'"
|
tail
-1`
tc qdisc del dev $DEV root &>
/dev/null
tc qdisc add dev $DEV root handle 1: htb default 2
tc class add dev $DEV parent 1: classid 1:1 htb rate $[$flow_max*1]kbps ceil $[$flow_max*1]kbps
tc class add dev $DEV parent 1: classid 1:2 htb rate $[$flow_max*9]kbps ceil $[$flow_max*9]kbps
tc qdisc add dev $DEV parent 1:1 handle 11 sfq perturb 10
tc qdisc add dev $DEV parent 1:2 handle 12 sfq perturb 10
tc filter add dev $DEV parent 1: protocol ip prio 8 handle 111 fw classid 1:1
iptables -t mangle -A POSTROUTING -m
set
--match-
set
$IPSET dst -j MARK --
set
-mark 111
iptables -I INPUT -m
set
--match-
set
$IPSET1 src -j DROP
fi
for
i
in
$IPLIMIT
do
x=`ipset list |
grep
$i|
wc
-l`
if
[ $x -
ne
0 ];
then
continue
fi
ipset add $IPSET $i
done
for
i
in
$IPDROP
do
x=`ipset list |
grep
$i|
wc
-l`
if
[ $x -
ne
0 ];
then
continue
fi
ipset add $IPSET1 $i
done
else
if
[ $EXIST -
ne
0 ] && [ $SPEED -lt 650 ]|| [ $EXIST1 -
ne
0 ] ;
then
NUM1=`iptables -n -
v
-L --line-number |
grep
$IPSET1 |
awk
'{print $1}'
`
iptables -D INPUT $NUM1
NUM=`iptables -t mangle -n -
v
-L --line-number |
grep
$IPSET |
awk
'{print $1}'
`
iptables -t mangle -D POSTROUTING $NUM
tc qdisc del dev $DEV root &>
/dev/null
ipset destroy $IPSET
ipset destroy $IPSET1
fi
fi
|
本文转自biao007h51CTO博客,原文链接:http://blog.51cto.com/linzb/1766218 ,如需转载请自行联系原作者
