This script will help you limit the amount of bandwidth that you consume on an VM, BM or VPS. The idea is you can predict and budget bandwidth fees while using Public Cloud services. Specially using providers such as AWS, IBM, MS Azure or Vultr etc which bill based on bandwidth utilization (i.e. egress traffic).
Features:
- script is fully configurable: set options in traflimit.conf or inside script
- besides from cron it can run as daemon, screen or in foreground
- sends email and/or runs custom action(s) if traffic limit is hit like commands, other scripts etc
- includes
bashmail.shscript, a small sendmail drop in replacement using... Bash :) - both vnstat 1 and 2 supported
See included comments in traflimit.conf for an explaination of what they do.
- Configure options in traflimit.conf (RECOMMENDED) or add them to top of traflimit.sh
- Test by first setting
POLLMETHOD="foreground" - Comment
POLLMETHODand create file in/etc/cron.d:
echo "* * * * * root $PWD/traflimit.sh cron 2>&1" | sudo tee /etc/cron.d/traflimitPaths:
The .sh script will search for the .conf in same dir, /etc and /usr/local/etc.
Suggested paths: "/usr/local/etc/traflimit.conf" and "/usr/local/sbin/traflimit.sh"
Migrating:
If you want to copy settings from traflimit.sh to traflimit.conf:
- first try running the command below
- remove settings from traflimit.sh or just get it from repo
sudo sed -n '/^AGREE=/,/^# END/p' traflimit.sh > /usr/local/etc/traflimit.conf`When hitting the max traffic limit you can configure what should happen by setting MAXRUNACT. Remember you might have to add a sleep 60 first so you have time to disable the script if needed (e.g if you used shutdown and boot after).
Examples:
-
run command:
/sbin/iptables-restore < /etc/firewall-lockdown.conf -
run script:
/root/scripts/max_traffic_action_script -
iptables - flush/drop:
/sbin/iptables -F; /sbin/iptables -X; /sbin/iptables -P INPUT DROP; /sbin/iptables -P OUTPUT DROP; /sbin/iptables -P FORWARD DROP; -
iptables - allow SSH only:
/sbin/iptables -A INPUT -i lo -j ACCEPT; /sbin/iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT; /sbin/iptables -A INPUT -j DROP;/sbin/iptables -A OUTPUT -o lo -j ACCEPT; /sbin/iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT; /sbin/iptables -A OUTPUT -j DROP; -
nftables:
/sbin/nft "flush ruleset; add table ip filter;"; /sbin/nft "add chain ip filter INPUT \{ type filter hook forward priority 0; drop; \}"; /sbin/nft "add chain ip filter FORWARD \{ type filter hook forward priority 0; drop; \}"; /sbin/nft "add chain ip filter OUTPUT \{ type filter hook forward priority 0; drop; \}"; /sbin/nft "add rule ip filter INPUT iifname lo accept; state \{established,related\} accept;"; /sbin/nft "add rule ip filter INPUT tcp dport 220 accept; reject;"; /sbin/nft "add rule ip filter OUTPUT iifname lo accept;"; -
stop network:
/etc/init.d/network* stop || /usr/sbin/service network stop || /usr/sbin/service networking stop || systemctl stop network*; -
shutdown:
/sbin/shutdown -h 5 TrafficLimit hit && sleep 360;
You could also make the script kill itself (included as an example and should not really be needed)
logevent "INFO: Killing daemon process..."; pkill -9 -F $PIDFILE 2>/dev/null; rm $PIDFILE;
After the max traffic limit was hit the actions you've defined in MAXRUNACT will continue to get executed everytime the script runs. To Acknowledge set MAXACK="1" and no actions will be run. To also disable log entries and mail limits optionally set MAXQUIET="1".
You can also set these options by creating the following files in root dir:
touch /.maxack
touch /.maxquietIf you want to be alerted by email you need need 'sendmail' or a compatible MTA (Mail Transfer Agent).
Postfix, Exim and SSMTP should all work. If it is not possible install one of these programs on your system you can use included bashmail.sh instead.
Make sure MTA="/usr/sbin/sendmail" in traflimit.sh is set correctly.
First set MTA="/path/to/bashmail.sh" inside traflimit.sh. You'll also have to configure at least your SMTP server in bashmail.sh (e.g. "smtp.example.com"). Optionally you can enable Authentication and TLS.
- Original TrafLimit Source: besttechie.com/forums
- Original Bashmail Source: 33hops.com (GPL-3.0)