Hello. I have eth1 for WAN(0.0.0.0) and eth0 for LAN (192.168.10.0/24), need to setup that local user get access to $LOCAL_IP network and ip 192.168.10.2, 192.168.10.3 (will be more in future) to internet, but bandwidth to $LOCAL_IP is 128kbps and for internet is 8kbps.
i wrote rc.firewall
#!/bin/bash
#env
IPTABLES="/usr/sbin/iptables"
LOCAL_IP="62.64.80.0/21 62.221.38.0/24 ........................" # LOCAL_IP network
$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
......... # not important rule ........
#for local_network
$IPTABLES -N local_ip
for net_address in $LOCAL_IP; do
$IPTABLES -A local_ip -p all -d $net_address -j ACCEPT
done
$IPTABLES -A local_ip -p all -j REJECT# Forward rules for all
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -i eth1 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.10.2 -m mac --mac-source 00:11:2F:92:D1:5E -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.10.3 -m mac --mac-source 00:11:11:1D:D6:37 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.10.5 -m mac --mac-source 00:11:2F:4A:88:47 -j local_ip
$IPTABLES -A FORWARD -s 192.168.10.6 -m mac --mac-source 00:0E:A6:52:76:DD -j local_ip
..............
# IF file isn't from $LOCAL_IP
for net_address in $LOCAL_IP; do
$IPTABLES -t mangle -A FORWARD -s ! $net_address -d 192.168.10.2 -j MARK --set-mark 3
$IPTABLES -t mangle -A FORWARD -s ! $net_address -d 192.168.10.3 -j MARK --set-mark 4
done
# If ip address is from the $LOCAL_IP
for net_address in $LOCAL_IP; do
$IPTABLES -t mangle -A FORWARD -s $net_address -d 192.168.10.2 -j MARK --set-mark 1
$IPTABLES -t mangle -A FORWARD -s $net_address -d 192.168.10.3 -j MARK --set-mark 2
done
# Enable simple IP Forwarding and Network Address Translation $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 195.24.150.150
I marked package that could use it for control bandwidth, but if package from $LOCAL_IP to 192.168.10.2
it will be marked two time (mark 3 then mark 1). Why iptables doing it?
# config bandwidth #!/bin/bash TC=/sbin/tc
$TC qdisc add dev eth0 root handle 1:0 htb default 4
# sub class of root $TC class add dev eth0 parent 1:0 classid 1:1 htb rate 136kbps ceil 136kbps
$TC class add dev eth0 parent 1:1 classid 1:2 htb rate 128kbps ceil 128kbps $TC class add dev eth0 parent 1:1 classid 1:3 htb rate 8kbps ceil 8kbps
# Classes for local users $TC class add dev eth0 parent 1:2 classid 1:20 htb rate 16kbps ceil 128kbps $TC class add dev eth0 parent 1:2 classid 1:21 htb rate 16kbps ceil 128kbps $TC class add dev eth0 parent 1:2 classid 1:22 htb rate 16kbps ceil 128kbps $TC class add dev eth0 parent 1:2 classid 1:23 htb rate 16kbps ceil 128kbps
$TC filter add dev eth0 protocol ip parent 1:0 handle 1 fw flowid 1:20
$TC filter add dev eth0 protocol ip parent 1:0 handle 2 fw flowid 1:21
$TC filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.10.5 flowid 1:22
$TC filter add dev eth0 protocol ip parent 1:0 u32 match ip dst 192.168.10.6 flowid 1:23
# Classes for inet users $TC class add dev eth0 parent 1:3 classid 1:30 htb rate 4kbps ceil 8kbps $TC class add dev eth0 parent 1:3 classid 1:31 htb rate 4kbps ceil 8kbps
$TC filter add dev eth0 protocol ip parent 1:0 handle 3 fw flowid 1:30 $TC filter add dev eth0 protocol ip parent 1:0 handle 4 fw flowid 1:31
# default param for htb $TC class add dev eth0 parent 1:1 classid 1:4 htb rate 1kbps ceil 1kbps
If someone know why iptables doing it or how to realize it differently Thanks for any halp. _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
