Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- haproxy -D -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)
- iptables -I INPUT -p tcp --dport $PORT --syn -j DROP
- sleep 1
- service haproxy restart
- iptables -D INPUT -p tcp --dport $PORT --syn -j DROP
- # plug_manipulation.sh
- nl-qdisc-add --dev=lo --parent=1:4 --id=40: --update plug --buffer
- service haproxy reload
- nl-qdisc-add --dev=lo --parent=1:4 --id=40: --update plug --release-indefinite
- # setup_iptables.sh
- iptables -t mangle -I OUTPUT -p tcp -s 169.254.255.254 --syn -j MARK --set-mark 1
- # setup_qdisc.sh
- ## Set up the queuing discipline
- tc qdisc add dev lo root handle 1: prio bands 4
- tc qdisc add dev lo parent 1:1 handle 10: pfifo limit 1000
- tc qdisc add dev lo parent 1:2 handle 20: pfifo limit 1000
- tc qdisc add dev lo parent 1:3 handle 30: pfifo limit 1000
- ## Create a plug qdisc with 1 meg of buffer
- nl-qdisc-add --dev=lo --parent=1:4 --id=40: plug --limit 1048576
- ## Release the plug
- nl-qdisc-add --dev=lo --parent=1:4 --id=40: --update plug --release-indefinite
- ## Set up the filter, any packet marked with “1” will be
- ## directed to the plug
- tc filter add dev lo protocol ip parent 1:0 prio 1 handle 1 fw classid 1:4
- iptables -t mangle -A PREROUTING -i eth1 -d 123.123.123.123/32 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
- iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
- iptables -t mangle -A PREROUTING -i eth1 -p tcp --tcp-flags FIN FIN -j MARK --set-mark 2
- iptables -t mangle -A PREROUTING -i eth1 -p tcp --tcp-flags RST RST -j MARK --set-mark 2
- iptables -t mangle -A PREROUTING -i eth1 -m mark ! --mark 0 -j TEE --gateway 192.168.0.2
- iptables -t mangle -A PREROUTING -i eth1 -m mark --mark 1 -j DROP
- #!/bin/sh
- case $1 in
- start)
- echo Redirection for new sessions is enabled
- # echo 0 > /proc/sys/net/ipv4/tcp_fwmark_accept
- for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done
- iptables -t mangle -A PREROUTING -i eth1 ! -d 123.123.123.123 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
- iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
- iptables -t mangle -A PREROUTING -i eth1 -p tcp --tcp-flags FIN FIN -j MARK --set-mark 2
- iptables -t mangle -A PREROUTING -i eth1 -p tcp --tcp-flags RST RST -j MARK --set-mark 2
- iptables -t mangle -A PREROUTING -i eth1 -m mark ! --mark 0 -j TEE --gateway 192.168.0.2
- iptables -t mangle -A PREROUTING -i eth1 -m mark --mark 1 -j DROP
- ;;
- stop)
- iptables -t mangle -D PREROUTING -i eth1 -m mark --mark 1 -j DROP
- iptables -t mangle -D PREROUTING -i eth1 -m mark ! --mark 0 -j TEE --gateway 192.168.0.2
- iptables -t mangle -D PREROUTING -i eth1 -p tcp --tcp-flags RST RST -j MARK --set-mark 2
- iptables -t mangle -D PREROUTING -i eth1 -p tcp --tcp-flags FIN FIN -j MARK --set-mark 2
- iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark
- iptables -t mangle -D PREROUTING -i eth1 ! -d 123.123.123.123 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
- echo Redirection for new sessions is disabled
- ;;
- esac
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
