New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
In a preventative or reactive fashion?
Nodewatch can suspend a VM when it has a high number of connections.
may I know your primary objective to limit packets? if it's to prevent DDoS, probably a waste of time as DDoS can be synchronized with a huge cluster
Yes it is t prevent packet flood from the OpenVZ containers. Sometimes the DDoS wannabes are trying some scripts and sending more than 100K pps.
Use tc to traffic shape:
https://openvz.org/Traffic_shaping_with_tc
We have tried this with Solus:
iptables -I FORWARD 1 -o $DEV -s X.X.X.X -m limit --limit 200/sec -j ACCEPT
iptables -I FORWARD 2 -o $DEV -s X.X.X.X -j DROP
However the 2nd line is stopping the Internet , the 1st line seems works.
@qhoster What is overall goal? Those iptables lines should work also try attaching it to venet0. But nodewatch should pickup high number of connections you just have to edit the settings to your liking and also remove the // in the front of the setting.
The idea is to limit each container to lets say 10 000 packets per second.
10000 PPS lolwut. 1 Gigabit is like 80-120k PPS depending on the amount of data in the packet stream generated by some software.
I thought that was 200/sec?
EDIT: just saw you were using an example, not your actual rule