Changeset ad04bbc3dc5adfe3e75690b34a04448840efeffb
- Timestamp:
- 04/18/09 12:33:01 (3 years ago)
- Author:
- Neutron Soutmun <neo.neutron@…>
- Children:
- ebf1b313a3bf00f239329f7fe3a81e40e23b0296
- Parents:
- ae7e7e4f3e3672207f051839f33df6649f41dca1
- git-committer:
- Neutron Soutmun <neo.neutron@…> (04/18/09 12:33:01)
- Message:
-
Handle dhcp request, tune http access performance
2009-04-18 Neutron Soutmun <neo.neutron@…>
- example/{rahunas,rahunas-vserver}.conf.in, tools/firewall.sh.in:
- Remove dhcp field from vserver config due to the dhcp request is broadcast
message could not be classified which vserver it is.
- Remove dhcp_range from vserver config which will consider later how to
handle it.
- Move the dhcp firewall code from vserver section to policy.
- Adjust the webserver access limit rate for performance tuning.
- Files:
-
Legend:
- Unmodified
- Added
- Removed
-
|
rae7e7e4
|
rad04bbc
|
|
| | 1 | 2009-04-18 Neutron Soutmun <neo.neutron@gmail.com> |
| | 2 | |
| | 3 | * example/{rahunas,rahunas-vserver}.conf.in, tools/firewall.sh.in: |
| | 4 | - Remove dhcp field from vserver config due to the dhcp request is broadcast |
| | 5 | message could not be classified which vserver it is. |
| | 6 | - Remove dhcp_range from vserver config which will consider later how to |
| | 7 | handle it. |
| | 8 | - Move the dhcp firewall code from vserver section to policy. |
| | 9 | - Adjust the webserver access limit rate for performance tuning. |
| | 10 | |
| 1 | 11 | 2009-04-18 Neutron Soutmun <neo.neutron@gmail.com> |
| 2 | 12 | |
-
|
rd7b5c9e
|
rad04bbc
|
|
| 17 | 17 | idle_timeout = "600" |
| 18 | 18 | |
| 19 | | dhcp = "yes" |
| 20 | | dhcp_range = "172.30.0.10 172.30.3.254" |
| 21 | 19 | dns = "yes" |
| 22 | 20 | ssh = "yes" |
-
|
rd7b5c9e
|
rad04bbc
|
|
| 9 | 9 | log_file = "@localstatedir@/log/rahunas/rahunas.log" |
| 10 | 10 | |
| | 11 | dhcp = "yes" |
| | 12 | |
| 11 | 13 | bandwidth_shape = "yes" |
| 12 | 14 | bittorrent_download_max = "512" |
-
|
rae7e7e4
|
rad04bbc
|
|
| 48 | 48 | MAIN_BITTORRENT_DOWNLOAD_MAX=`get_config_value main bittorrent_download_max $RAHUNAS_CONFIG` |
| 49 | 49 | MAIN_BITTORRENT_UPLOAD_MAX=`get_config_value main bittorrent_upload_max $RAHUNAS_CONFIG` |
| | 50 | MAIN_DHCP=`get_config_value main dhcp $RAHUNAS_CONFIG` |
| 50 | 51 | |
| 51 | 52 | # Virtual Server : config |
| … |
… |
|
| 60 | 61 | EXCLUDED= |
| 61 | 62 | BANDWIDTH_SHAPE= |
| 62 | | DHCP= |
| 63 | 63 | DNS= |
| 64 | 64 | SSH= |
| … |
… |
|
| 124 | 124 | EXCLUDED=`get_config_value $NAME excluded $file` |
| 125 | 125 | BANDWIDTH_SHAPE=$MAIN_BANDWIDTH_SHAPE |
| 126 | | DHCP=`get_config_value $NAME dhcp $file` |
| 127 | 126 | DNS=`get_config_value $NAME dns $file` |
| 128 | 127 | SSH=`get_config_value $NAME ssh $file` |
| … |
… |
|
| 379 | 378 | |
| 380 | 379 | $IPTABLES -A INPUT -i lo -j ACCEPT |
| | 380 | |
| | 381 | # DHCP Settings |
| | 382 | |
| | 383 | if [ "$MAIN_DHCP" = "yes" ]; then |
| | 384 | $IPTABLES -A INPUT -p udp --dport 67:68 -j ACCEPT |
| | 385 | $IPTABLES -A FORWARD -p udp --dport 67:68 -j DROP |
| | 386 | elif [ "$MAIN_DHCP" = "no" ]; then |
| | 387 | $IPTABLES -A INPUT -p udp --dport 67:68 -j DROP |
| | 388 | $IPTABLES -A FORWARD -p udp --dport 67:68 -j DROP |
| | 389 | elif [ "$MAIN_DHCP" = "forward" ]; then |
| | 390 | $IPTABLES -A INPUT -p udp --dport 67:68 -j DROP |
| | 391 | $IPTABLES -A FORWARD -p udp --dport 67:68 -j ACCEPT |
| | 392 | fi |
| 381 | 393 | } |
| 382 | 394 | |
| … |
… |
|
| 388 | 400 | |
| 389 | 401 | $IPTABLES -D INPUT -i lo -j ACCEPT |
| | 402 | |
| | 403 | # DHCP Settings |
| | 404 | |
| | 405 | if [ "$MAIN_DHCP" = "yes" ]; then |
| | 406 | $IPTABLES -D INPUT -p udp --dport 67:68 -j ACCEPT |
| | 407 | $IPTABLES -D FORWARD -p udp --dport 67:68 -j DROP |
| | 408 | elif [ "$MAIN_DHCP" = "no" ]; then |
| | 409 | $IPTABLES -D INPUT -p udp --dport 67:68 -j DROP |
| | 410 | $IPTABLES -D FORWARD -p udp --dport 67:68 -j DROP |
| | 411 | elif [ "$MAIN_DHCP" = "forward" ]; then |
| | 412 | $IPTABLES -D INPUT -p udp --dport 67:68 -j DROP |
| | 413 | $IPTABLES -D FORWARD -p udp --dport 67:68 -j ACCEPT |
| | 414 | fi |
| 390 | 415 | } |
| 391 | 416 | |
| … |
… |
|
| 422 | 447 | $IPTABLES -A $CHAIN_INPUT -p tcp -m multiport -d $VSERVER_IP\ |
| 423 | 448 | --dports $VSERVER_PORTS_ALLOW \ |
| 424 | | -m recent --rcheck --seconds 15 --name incoming_throttle -j DROP |
| | 449 | -m recent --rcheck --seconds 6 --name incoming_throttle -j DROP |
| 425 | 450 | |
| 426 | 451 | $IPTABLES -A $CHAIN_INPUT -p tcp -m multiport -d $VSERVER_IP \ |
| 427 | 452 | --dports $VSERVER_PORTS_ALLOW \ |
| 428 | | -m hashlimit --hashlimit 5/sec \ |
| 429 | | --hashlimit-mode srcip --hashlimit-burst 10 \ |
| 430 | | --hashlimit-htable-expire 15000 --hashlimit-name incoming \ |
| | 453 | -m hashlimit --hashlimit 20/sec \ |
| | 454 | --hashlimit-mode srcip --hashlimit-burst 30 \ |
| | 455 | --hashlimit-htable-expire 4000 --hashlimit-name incoming \ |
| 431 | 456 | -j ACCEPT |
| 432 | 457 | |
| … |
… |
|
| 448 | 473 | -d $VSERVER_IP -j ACCEPT |
| 449 | 474 | |
| 450 | | ## |
| 451 | | # Allow incoming DHCP request |
| 452 | | ## |
| 453 | | |
| 454 | | if [ "$DHCP" = "yes" ]; then |
| 455 | | $IPTABLES -A $CHAIN_INPUT -p udp --dport 67:68 -j ACCEPT |
| 456 | | $IPTABLES -A $CHAIN_FORWARD -p udp --dport 67:68 -j DROP |
| 457 | | elif [ "$DHCP" = "no" ]; then |
| 458 | | $IPTABLES -A $CHAIN_INPUT -p udp --dport 67:68 -j DROP |
| 459 | | $IPTABLES -A $CHAIN_FORWARD -p udp --dport 67:68 -j DROP |
| 460 | | elif [ "$DHCP" = "forward" ]; then |
| 461 | | $IPTABLES -A $CHAIN_INPUT -p udp --dport 67:68 -j DROP |
| 462 | | $IPTABLES -A $CHAIN_FORWARD -p udp --dport 67:68 -j ACCEPT |
| 463 | | fi |
| | 475 | |
| 464 | 476 | |
| 465 | 477 | ## |
