site => 'security-tracker.debian.org',
content => template('roles/apache-security-tracker.debian.org.conf.erb')
}
+
+ # traffic shaping http traffic
+ @ferm::rule { 'dsa-security-tracker-shape':
+ table => 'mangle',
+ chain => 'OUTPUT',
+ rule => "proto tcp dport 443 MARK set-mark 20",
+ }
+
+ file { '/usr/local/sbin/traffic-shape':
+ mode => '0755',
+ content => template('roles/security-tracker/traffic-shape'),
+ notify => Exec['/usr/local/sbin/traffic-shape'],
+ }
+ exec { '/usr/local/sbin/traffic-shape':
+ refreshonly => true
+ }
}
--- /dev/null
+#!/bin/bash
+
+tc qdisc del dev eth0 root
+tc qdisc add dev eth0 root handle 1:0 htb default 10
+tc class add dev eth0 parent 1:0 classid 1:10 htb rate 1gbps prio 0
+tc class add dev eth0 parent 1:0 classid 1:20 htb rate 20mbit ceil 16mbit prio 0
+tc class add dev eth0 parent 1:0 classid 1:30 htb rate 1mbit ceil 1mbit prio 0
+
+tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 20 fw flowid 1:20
+tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 30 fw flowid 1:30
+
+ipset -exist create http_abuser hash:ip timeout 3600
+
+# iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /tor/status-vote/current/consensus HTTP' -j SET --add-set http_abuser src
+#iptables -A OUTPUT -t mangle -p tcp --sport 443 -j MARK --set-mark 20
+#iptables -A OUTPUT -t mangle -p tcp --sport 443 -m set --match-set http_abuser dst -j MARK --set-mark 30
+#A=""
+## A="$A 192.0.2.1" # whitelist
+#for i in $A; do
+ #iptables -I OUTPUT -t mangle -p tcp --sport 443 --destination $i -j ACCEPT
+#done
+
projects / mirror / dsa-puppet.git / commitdiff