Permalink
Cannot retrieve contributors at this time
include_recipe 'yum-epel' | |
package %w(ipset nc perf iftop htop) | |
include_recipe 'mg_perf_iptables::server' | |
ipt = '/sbin/iptables' | |
ips = '/usr/sbin/ipset' | |
execute "#{ipt} --flush" | |
execute "#{ips} --flush" | |
main_port = node['http_server_port'] | |
ports = [5050, 5051, 5052, main_port] | |
num_src = 400 | |
src_ips = [] | |
# get a pool of IPs to play with | |
num_src.times do |_i| | |
third = Random.rand(1..254) | |
fourth = Random.rand(1..254) | |
ip = "172.29.#{third}.#{fourth}" | |
src_ips << ip | |
end | |
# allow our test machine's source, see attributes/ | |
src_ips << node['src_ip'] | |
if node['use_simple_iptables'] | |
ports.each do |port| | |
rules = [] | |
src_ips.each do |ip| | |
rule = "#{ipt} -A INPUT -i eth1 -p tcp --dport #{port} --src #{ip} -j ACCEPT" | |
rules << rule | |
end | |
rules << "#{ipt} -A INPUT -i eth1 -p tcp --dport #{port} -j REJECT" | |
# applying rules for each port, otherwise argument list too long | |
execute 'apply_rules' do | |
command rules.join("\n") | |
sensitive true # dont want to pollute logs | |
end | |
end | |
elsif node['use_ipset'] | |
# create ipset first | |
cmds = ["#{ips} -N org_pool iphash"] | |
src_ips.each do |ip| | |
cmds << "#{ips} -A org_pool #{ip}" | |
end | |
execute 'create_ipset' do | |
command cmds.join("\n") | |
sensitive true | |
end | |
ports.each do |port| | |
rules = [] | |
rules << "#{ipt} -A INPUT -i eth1 -p tcp --dport #{port} -m set --set org_pool src -j ACCEPT" | |
rules << "#{ipt} -A INPUT -i eth1 -p tcp --dport #{port} -j REJECT" | |
execute 'apply_rules' do | |
command rules.join("\n") | |
end | |
end | |
end |