Thanck you for your help! I noticed the ipset tools and I tried to use the CONNMARK but I don't know how to verify if bitwise manipulation works. The IP list is random and the router is an Athlon at 1200 MHz with 64 MB of SDRAM and a PIO mode 4 harddisk. After marking for destination, the packets are marked for priorization. I tried to use the dsmark and some ingress policing but I've faild to understand how they work. Also I'm in a hurry and I try to use what I know for now. Since I have to shape for two speeds, now I've discovered the --limit filter in iptables and I try to match packets based on their speeds. Each connected client has its own class on dev eth1. There are 38 clients now. On eth2 I shape based on connection ports. Audio/video, chat and interactive traffic (and connection control packets) have higher priority. Here are my script and configuration files (is best viewd unwraped with kwrite): #!/bin/bash ### firewall.sh ### # firewall # TODO: make a README for admin-users, how to add # clients with public and privat IPs from dhcpd and metropolitan addresses # use ipset for address and port grouping # boost speeds, ports forward, etc. # http://gentoo-wiki.com/HOWTO_Packet_Shaping # http://lartc.org/howto # http://linuxgazette.net/103/odonovan.html # http://www.netfilter.org/documentation/ # http://www.knowplace.org/shaper/ # http://linux-ip.net/articles/Traffic-Control-HOWTO/ # http://howtos.linux.com/howtos/Traffic-Control-HOWTO/intro.shtml # http://andthatsjazz.org:8/lartc/ # programs ip=/usr/sbin/ip ipt=/usr/sbin/iptables ipt_s=/usr/sbin/iptables-save ipt_r=/usr/sbin/iptables-restore ips=/usr/sbin/ipset tc=/usr/sbin/tc # interfaces EXT1=eth0 EXT1IP=first external IP GW1=our gateway's IP NetP1=our ISP's local network # 64 public space addresses PUB1Min=first usable public IP PUB1Max=last usable public IP #EXT2= #EXT1IP= #GW2= #NetP2= INT1=eth1 INT1IP=192.168.101.1 INT1Mask=255.255.255.0 INT1Bcast=public space broadcast address (not in ISP's LAN) INT1Net=192.168.101.255 INT2=eth2 INT2IP=10.0.0.1 INT2Mask=255.255.255.0 INT2Bcast=10.0.0.255 INT2Net=10.0.0.0 # markers MARK_NET=0x0 # packets for Internet MARK_MAN=0x1 # packets for Metropolitan # interfaces' aliasses NETWORK=81.196.157;DEV=eth0 ip address add 172.22.3.112 dev eth0 for IP in $( cat ~adminus/etc/ip_internet/ext1_aliases.conf | grep -v \# ); do $ip addr del $NETWORK.$IP/32 dev $DEV 2>/dev/null >/dev/null done for IP in $( cat ~adminus/etc/ip_internet/ext1_aliases.conf | grep -v \# ); do $ip addr add $NETWORK.$IP/26 brd $NETWORK.255 dev $DEV done echo " 2. Proxy ARP" # proxy ARP echo 1 >/proc/sys/net/ipv4/conf/$EXT1/proxy_arp #echo 1 >/proc/sys/net/ipv4/conf/$EXT2/proxy_arp echo 1 >/proc/sys/net/ipv4/conf/$INT1/proxy_arp #echo 1 >/proc/sys/net/ipv4/conf/$INT1/proxy_arp for IP in $( cat ~adminus/etc/ip_local/pub_ips_on_int1.conf | grep -v \# ); do $ip route del $IP dev $INT1 2>/dev/null >/dev/null $ip route add $IP dev $INT1 done for IP in $( cat ~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v \# ); do $ip route del $IP dev $INT2 2>/dev/null >/dev/null $ip route add $IP dev $INT2 done $ipt -t raw -F $ipt -t nat -F $ipt -t mangle -F $ipt -t filter -F ### ### ### ### raw ### ### ### ### ### ### ### ### nat ### ### ### ### ### PREROUTING ### #$ipt -t nat -A PREROUTING -i $INT1 -p tcp --dport 80 -j REDIRECT --to-port 3128 echo " forward ports (5 ports/IP)" NETWORK=192.168.101;NETID1=21;NETID2=22;NETID3=23;NETID4=24;NETID5=25; # 20 <= NETID <= 65 for IP in $( cat ~adminus/etc/portfwd.conf | grep -v \# ); do $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp --dport $NETID1$IP -j DNAT --to-destination $NETWORK.$IP:$NETID1$IP $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp --dport $NETID2$IP -j DNAT --to-destination $NETWORK.$IP:$NETID2$IP $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp --dport $NETID3$IP -j DNAT --to-destination $NETWORK.$IP:$NETID3$IP $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp --dport $NETID4$IP -j DNAT --to-destination $NETWORK.$IP:$NETID4$IP $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp --dport $NETID5$IP -j DNAT --to-destination $NETWORK.$IP:$NETID5$IP done ### POSTROUTING ### echo " nat POSTROUTING" #$ipt -t nat -A POSTROUTING -s $INT2Net/$INT2Mask -j MASQUERADE --to-ports 20000:30000 $ipt -t nat -A POSTROUTING -s $INT1Net/$INT1Mask -o $EXT1 -j SNAT --to-source $PUB1Min-$PUB1Max $ipt -t nat -A POSTROUTING -s $INT2Net/$INT2Mask -o $EXT1 -j SNAT --to-source $PUB1Min-$PUB1Max $ipt -t nat -A POSTROUTING -s 10.0.0.100 -j SNAT --to-source 81.196.157.200 $ipt -t nat -A POSTROUTING -s 10.0.0.99 -j SNAT --to-source 81.196.157.200 ### ### ### ### ### mangle ### ### ### ### ### echo " mangle" ### PREROUTING ### # mark for QOS cat ~adminus/bin/marks | $ipt_r ~adminus/bin/mac.sh ### ### ### ### ### qdiscs ### ### ### ### ### # building traffic classes and ingress filters # speeds ROOT_NET_RATE=500kbit ROOT_NET_CEIL=$ROOT_NET_RATE BULK_NET_RATE=1kbit BULK_NET_CEIL=128kbit ROOT_MAN_RATE=95Mbit ROOT_MAN_CEIL=$BULK_NET_RATE BULK_MAN_RATE=512kbit BULK_MAN_CEIL=90Mbit # markers MARK_NET=0x0 # Internet packet MARK_MAN=0x1 # Metropolitan packet echo " qdisc del" $tc qdisc del dev $EXT1 ingress 2>/dev/null >/dev/null #$tc qdisc del dev $EXT2 ingress 2>/dev/null >/dev/null $tc qdisc del dev $INT1 ingress 2>/dev/null >/dev/null $tc qdisc del dev $INT2 ingress 2>/dev/null >/dev/null $tc qdisc del dev $EXT1 root 2>/dev/null >/dev/null #$tc qdisc del dev $EXT2 root 2>/dev/null >/dev/null $tc qdisc del dev $INT1 root 2>/dev/null >/dev/null $tc qdisc del dev $INT2 root 2>/dev/null >/dev/null echo " qdisc add EXT1 egress " $tc qdisc add dev $EXT1 root handle 1: htb default FF01 echo " Internet-caffe" $tc class add dev $EXT1 parent 1: classid 1:1 htb rate 500kbit ceil 500kbit # Internet $tc class add dev $EXT1 parent 1: classid 1:2 htb rate 95Mbit ceil 95Mbit # Metropolitan $tc class add dev $EXT1 parent 1:1 classid 1:7 htb rate 140kbit ceil 500kbit prio 2 # a/v net trafic $tc class add dev $EXT1 parent 1:1 classid 1:5 htb rate 50kbit ceil 500kbit prio 2 # chat net trafic $tc class add dev $EXT1 parent 1:1 classid 1:3 htb rate 100kbit ceil 500kbit prio 2 # www net trafic $tc class add dev $EXT1 parent 1:2 classid 1:8 htb rate 35Mbit ceil 90Mbit prio 2 # a/v man trafic $tc class add dev $EXT1 parent 1:2 classid 1:6 htb rate 5Mbit ceil 90Mbit prio 2 # chat man trafic $tc class add dev $EXT1 parent 1:2 classid 1:4 htb rate 20Mbit ceil 90Mbit prio 2 # www man trafic $tc class add dev $EXT1 parent 1:1 classid 1:FF01 htb rate 10kbit ceil 500kbit prio 3 # bulk net trafic $tc class add dev $EXT1 parent 1:2 classid 1:FF00 htb rate 30Mbit ceil 90Mbit prio 3 # bulk man trafic $tc qdisc add dev $EXT1 parent 1:FF01 handle 2: sfq perturb 10 $tc qdisc add dev $EXT1 parent 1:FF00 handle 3: sfq perturb 10 echo "qdisc add $EXT1 ingress" $tc qdisc add dev $EXT1 ingress # Metropolitan ingress #$tc filter add dev $EXT1 parent FFFF: protocol ip prio 0 handle 7 fw police rate 10Mbps burst 16k continue flowid :1 # A/V in MAN #$tc filter add dev $EXT1 parent FFFF: protocol ip prio 1 handle 5 fw police rate 10Mbps burst 16k continue flowid :1 # chat in MAN #$tc filter add dev $EXT1 parent FFFF: protocol ip prio 2 handle 3 fw police rate 10Mbps burst 16k continue flowid :1 # www in MAN #$tc filter add dev $EXT1 parent FFFF: protocol ip prio 4 handle 1 fw police rate 90Mbps burst 16k continue flowid :1 # bulk in MAN echo "CLIENTS";date >~adminus/log/clase_eth0.log;echo "CLIENTS" >>~adminus/log/clase_eth0.log $tc class add dev $EXT1 parent 1:1 classid 1:9 htb rate 140kbit ceil 500kbit prio 2 # bulk clients' net $tc class add dev $EXT1 parent 1:1 classid 1:10 htb rate 20Mbit ceil 90Mbit prio 2 # bulk clients' M.A.N. $tc class add dev $EXT1 parent 1:1 classid 1:11 htb rate 140kbit ceil 500kbit prio 1 # special clients' net $tc class add dev $EXT1 parent 1:1 classid 1:12 htb rate 20Mbit ceil 90Mbit prio 1 # special clients' M.A.N. echo " bulk clients' classes";echo " bulk clients' classes" >>~adminus/log/clase_eth0.log NETWORK=192.168;NET=101;NETID=16 # edit this after copy-paste ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don't edit IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID] # don't edit hIDnet_PRIV=`printf "%x" $IDnet_PRIV`;hIDman_PRIV=`printf "%x" $IDman_PRIV`;hIDnet_PUB=`printf "%x" $IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` # don't edit for IP in $( cat ~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v \# ); do hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP` $tc class add dev $EXT1 parent 1:9 classid 1:$hIDnet_PRIV$hIP htb rate $BULK_NET_RATE ceil $BULK_NET_CEIL prio 3 $tc class add dev $EXT1 parent 1:10 classid 1:$hIDman_PRIV$hIP htb rate $BULK_MAN_RATE ceil $BULK_MAN_CEIL prio 3 echo "$EXT1: $NETWORK.$NET.$IP net (1:9): 1:$hIDnet_PRIV$hIP min: $BULK_NET_RATE max: $BULK_NET_CEIL man (1:10): 1:$hIDman_PRIV$hIP min: $BULK_MAN_RATE max: $BULK_MAN_CEIL" >>~adminus/log/clase_eth0.log done echo " special clients' classes";echo " special clients' classes" >>~sorin/log/clase_eth0.log echo " ip-uri private";echo " private IPs" >>~adminus/log/clase_eth0.log NETWORK=192.168;NET=101;NETID=16 # edit this after copy-paste; 16 < NETID < 192; NETID = network's criterium number; # Set different NETIDs for all private or public networks; you can set the same NETID for one private network and one public network ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don't edit IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID] # don't edit hIDnet_PRIV=`printf "%x" $IDnet_PRIV`;hIDman_PRIV=`printf "%x" $IDman_PRIV`;hIDnet_PUB=`printf "%x" $IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` # don't edit IP=2 # 192.168.101.002 FOCUS DESIGN echo "$EXT1: $NETWORK.$NET.$IP net (1:11): 1:$hIDnet_PRIV$hIP min: 64kbit max: 256kbit man (1:12): 1:$hIDman_PRIV$hIP min: 768kbit max: 90Mbit" >>~adminus/log/clase_eth0.log hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP` $tc class replace dev $EXT1 parent 1:11 classid 1:$hIDnet_PRIV$hIP htb rate 64kbit ceil 256kbit prio 2 # replace because the class' ID (handle) exists from the previous network $tc class replace dev $EXT1 parent 1:12 classid 1:$hIDman_PRIV$hIP htb rate 768kbit ceil 90Mbit prio 2 # replace because the class' ID (handle) exists from the previous network echo " ip-uri publice";echo " public IPs" >>~adminus/log/clase_eth0.log NETWORK=81.196;NET=157;NETID=63 # edit this after copy-paste ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # astea nu le edita IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID] # don't edit hIDnet_PRIV=`printf "%x" $IDnet_PRIV`;hIDman_PRIV=`printf "%x" $IDman_PRIV`;hIDnet_PUB=`printf "%x" $IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` # don't edit IP=253 # 81.196.157.253 VIDEO CHAT hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP` echo "$EXT1: $NETWORK.$NET.$IP net (1:11): 1:$hIDnet_PUB$hIP min: 64kbit max: 256kbit man (1:12) 1:$hIDman_PUB$hIP min: 768kbit max: 90Mbit" >>~adminus/log/clase_eth0.log $tc class add dev $EXT1 parent 1:11 classid 1:$hIDnet_PUB$hIP htb rate 64kbit ceil 256kbit prio 1 $tc class add dev $EXT1 parent 1:12 classid 1:$hIDman_PUB$hIP htb rate 768kbit ceil 90Mbit prio 1 IP=254 # 81.196.157.254 VIDEO CHAT hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP` echo "$EXT1: $NETWORK.$NET.$IP net (1:11): 1:$hIDnet_PUB$hIP min: 64kbit max: 256kbit man (1:12) 1:$hIDman_PUB$hIP min: 768kbit max: 90Mbit" >>~adminus/log/clase_eth0.log $tc class add dev $EXT1 parent 1:11 classid 1:$hIDnet_PUB$hIP htb rate 64kbit ceil 256kbit prio 1 $tc class add dev $EXT1 parent 1:12 classid 1:$hIDman_PUB$hIP htb rate 768kbit ceil 90Mbit prio 1 # Internet ingress #$tc filter add dev $EXT1 parent FFFF: protocol ip prio 0 handle 6 fw police rate 190kbps burst 16k drop flowid :1 # A/V in Internet #$tc filter add dev $EXT1 parent FFFF: protocol ip prio 1 handle 4 fw police rate 62kbps burst 32k drop flowid :1 # chat in Internet #$tc filter add dev $EXT1 parent FFFF: protocol ip prio 2 handle 2 fw police rate 126kbps burst 64k drop flowid :1 # www in Internet #$tc filter add dev $EXT1 parent FFFF: protocol ip prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit burst 1k drop flowid :1 # bulk in Internet echo " qdisc add INT1 ingress" #$tc qdisc add dev $INT1 ingress #$tc filter add dev $INT1 parent FFFF: protocol ip prio 0 handle 0x7 fw flowid :1 police rate 10Mbps burst 16k continue # A/V in MAN #$tc filter add dev $INT1 parent FFFF: protocol ip prio 1 handle 0x5 fw flowid :1 police rate 10Mbps burst 16k continue # chat in MAN #$tc filter add dev $INT1 parent FFFF: protocol ip prio 2 handle 0x3 fw flowid :1 police rate 10Mbps burst 16k continue # www in MAN #$tc filter add dev $INT1 parent FFFF: protocol ip prio 4 handle 0x1 fw flowid :1 police rate 95Mbps burst 16k continue # bulk in MAN #$tc filter add dev $INT1 parent FFFF: protocol ip prio 0 handle 0x6 fw flowid :1 police rate 190kbps burst 16k continue # A/V in Internet #$tc filter add dev $INT1 parent FFFF: protocol ip prio 1 handle 0x4 fw flowid :1 police rate 62kbps burst 32k continue # chat in Internet #$tc filter add dev $INT1 parent FFFF: protocol ip prio 2 handle 0x2 fw flowid :1 police rate 126kbps burst 64k continue # www in Internet #$tc filter add dev $INT1 parent FFFF: protocol ip prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit burst 1k drop flowid :1 # bulk in Internet echo " qdisc add INT1 egress" $tc qdisc add dev $INT1 root handle 1: htb default FF01 $tc class add dev $INT1 parent 1: classid 1:1 htb rate 250kbit ceil 500kbit # class Internet $tc class add dev $INT1 parent 1: classid 1:2 htb rate 45Mbit ceil 90Mbit # class Metropolitan $tc class add dev $INT1 parent 1:1 classid 1:3 htb rate 125kbit ceil 500kbit # class bulk-clients Internet $tc class add dev $INT1 parent 1:2 classid 1:4 htb rate 22Mbit ceil 90Mbit # class bulk-clients Metropolitan $tc class add dev $INT1 parent 1:1 classid 1:5 htb rate 125kbit ceil 500kbit # class special-clients Internet $tc class add dev $INT1 parent 1:2 classid 1:6 htb rate 22Mbit ceil 90Mbit # class special-clients Metropolitan $tc class add dev $INT1 parent 1: classid 1:FF01 htb rate 1kbit ceil 500kbit # class bulk-traffic Internet $tc class add dev $INT1 parent 1: classid 1:FF00 htb rate 1kbit ceil 90Mbit # class bulk-traffic Metropolitan $tc qdisc add dev $INT1 parent 1:FF01 handle 2: sfq perturb 10 # Stochastic Fairness for bulk traffic in Internet $tc qdisc add dev $INT1 parent 1:FF00 handle 3: sfq perturb 10 # Stochastic Fairness for bulk traffic in Metropolitan echo "CLIENTS";date >~adminus/log/clase_eth1.log;echo "CLIENTI" >>~adminus/log/clase_eth1.log echo " bulk clients";echo " bulk clients" >>~adminus/log/clase_eth1.log NETWORK=192.168;NET=101;NETID=16 # edit this after copy-paste ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don't edit IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID] # don't edit hIDnet_PRIV=`printf "%x" $IDnet_PRIV`;hIDman_PRIV=`printf "%x" $IDman_PRIV`;hIDnet_PUB=`printf "%x" $IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` # don't edit for IP in $( cat ~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v \# ); do hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP` $tc class add dev $INT1 parent 1:3 classid 1:$hIDnet_PRIV$hIP htb rate $BULK_NET_RATE ceil $BULK_NET_CEIL prio 3 # bulk clients' speed in Internet $tc class add dev $INT1 parent 1:4 classid 1:$hIDman_PRIV$hIP htb rate $BULK_MAN_RATE ceil $BULK_MAN_CEIL prio 3 # bulk clients' speed in Metropolitan echo "$INT1: $NETWORK.$NET.$IP net (1:3): 1:$hIDnet_PRIV$hIP min: $BULK_NET_RATE max: $BULK_NET_CEIL man (1:4): 1:$hIDman_PRIV$hIP min: $BULK_MAN_RATE max: $BULK_MAN_CEIL" >>~sorin/log/clase_eth1.log done echo " special clients" >>~adminus/log/clase_eth1.log echo " privat IPs" >>~adminus/log/clase_eth1.log NETWORK=192.168;NET=101;NETID=16 # edit this after copy-paste ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # astea nu le edita IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID] # don't edit hIDnet_PRIV=`printf "%x" $IDnet_PRIV`;hIDman_PRIV=`printf "%x" $IDman_PRIV`;hIDnet_PUB=`printf "%x" $IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` # don't edit IP=2 # 192.168.101.002 FOCUS DESIGN hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP` $tc class replace dev $INT1 parent 1:5 classid 1:$hIDnet_PRIV$hIP htb rate 64kbit ceil 256kbit prio 2 # speed for client FOCUS DESIGN in Internet $tc class replace dev $INT1 parent 1:6 classid 1:$hIDman_PRIV$hIP htb rate 768kbit ceil 90Mbit prio 2 # speed for client FOCUS DESIGN in Metropolitan echo "$INT1: $NETWORK.$NET.$IP net (1:5): 1:$hIDnet_PRIV$hIP min: 64kbit max: 256kbit man (1:6): 1:$hIDman_PRIV$hIP min: 768kbit max: 90Mbit" >>~adminus/log/clase_eth1.log echo " public IPs" >>~adminus/log/clase_eth1.log NETWORK=81.196;NET=157;NETID=63 # edit this after copy-paste (this and the next 3 rows are must be copied for each used ip in the above network) ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don't edit IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID] # don't edit hIDnet_PRIV=`printf "%x" $IDnet_PRIV`;hIDman_PRIV=`printf "%x" $IDman_PRIV`;hIDnet_PUB=`printf "%x" $IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` # don't edit IP=253 # 81.196.157.253 VIDEO CHAT 1 (this and the next 3 rows are must be copied for each used ip in the above network) hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP` $tc class add dev $INT1 parent 1:5 classid 1:$hIDnet_PUB$hIP htb rate 64kbit ceil 256kbit prio 1 # speed for client VIDEO CHAT 1 in Internet $tc class add dev $INT1 parent 1:6 classid 1:$hIDman_PUB$hIP htb rate 768kbit ceil 90Mbit prio 1 # speed for client VIDEO CHAT 1 in Metropolitan echo "$INT1: $NETWORK.$NET.$IP net (1:5): 1:$hIDnet_PUB$hIP min: 64kbit max: 256kbit man (1:6) 1:$hIDman_PUB$hIP min: 768kbit max: 90Mbit" >>~adminus/log/clase_eth1.log IP=254 # 81.196.157.254 VIDEO CHAT 2 (this and the next 3 rows are must be copied for each used ip in the above network) hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP` $tc class add dev $INT1 parent 1:5 classid 1:$hIDnet_PUB$hIP htb rate 64kbit ceil 256kbit prio 1 # speed for client VIDEO CHAT 2 in Internet $tc class add dev $INT1 parent 1:6 classid 1:$hIDman_PUB$hIP htb rate 768kbit ceil 90Mbit prio 1 # speed for client VIDEO CHAT 2 in Metropolitan echo "$INT1: $NETWORK.$NET.$IP net (1:5): 1:$hIDnet_PUB$hIP min: 64kbit max: 256kbit man (1:6) 1:$hIDman_PUB$hIP min: 768kbit max: 90Mbit" >>~adminus/log/clase_eth1.log echo "CLIENTS done." echo " qdisc add INT2 root " $tc qdisc add dev $INT2 root handle 1: htb default FF01 $tc class add dev $INT2 parent 1: classid 1:1 htb rate 500kbit ceil 500kbit $tc class add dev $INT2 parent 1: classid 1:2 htb rate 95Mbit ceil 95Mbit $tc class add dev $INT2 parent 1:1 classid 1:7 htb rate 140kbit ceil 500kbit prio 0 # a/v net trafic $tc class add dev $INT2 parent 1:1 classid 1:5 htb rate 50kbit ceil 500kbit prio 0 # chat net trafic $tc class add dev $INT2 parent 1:1 classid 1:3 htb rate 100kbit ceil 500kbit prio 0 # www net trafic $tc class add dev $INT2 parent 1:2 classid 1:8 htb rate 35Mbit ceil 90Mbit prio 0 # a/v man trafic $tc class add dev $INT2 parent 1:2 classid 1:6 htb rate 5Mbit ceil 90Mbit prio 0 # chat man trafic $tc class add dev $INT2 parent 1:2 classid 1:4 htb rate 20Mbit ceil 90Mbit prio 0 # www man trafic $tc class add dev $INT2 parent 1:1 classid 1:FF01 htb rate 10kbit ceil 500kbit prio 3 # bulk net trafic $tc class add dev $INT2 parent 1:2 classid 1:FF00 htb rate 30Mbit ceil 90Mbit prio 3 # bulk man trafic $tc qdisc add dev $INT2 parent 1:FF01 handle 2: sfq perturb 10 $tc qdisc add dev $INT2 parent 1:FF00 handle 3: sfq perturb 10 echo " qdisc add INT2 ingress" $tc qdisc add dev $INT2 ingress #$tc filter add dev $INT2 parent FFFF: protocol ip prio 0 handle 0x7 fw flowid :1 police rate 10Mbps burst 16k drop # A/V in MAN #$tc filter add dev $INT2 parent FFFF: protocol ip prio 1 handle 0x5 fw flowid :1 police rate 10Mbps burst 16k drop # chat in MAN #$tc filter add dev $INT2 parent FFFF: protocol ip prio 2 handle 0x3 fw flowid :1 police rate 10Mbps burst 16k drop # www in MAN #$tc filter add dev $INT2 parent FFFF: protocol ip prio 4 handle 0x1 fw flowid :1 police rate 95Mbps burst 16k drop # bulk in MAN #$tc filter add dev $INT2 parent FFFF: protocol ip prio 0 handle 0x6 fw flowid :1 police rate 190kbps burst 16k drop # A/V in Internet #$tc filter add dev $INT2 parent FFFF: protocol ip prio 1 handle 0x4 fw flowid :1 police rate 62kbps burst 32k drop # chat in Internet #$tc filter add dev $INT2 parent FFFF: protocol ip prio 2 handle 0x2 fw flowid :1 police rate 126kbps burst 64k drop # www in Internet #$tc filter add dev $INT1 parent FFFF: protocol ip prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit burst 1k drop flowid :1 # bulk in Internet ### POSTROUTING ### echo "POSTROUTING" echo "filters - CLASSIFY $EXT1 egress" $ipt -t mangle -F POSTROUTING $ipt -t mangle -A POSTROUTING -m mark --mark 0x7 -o $EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:7 # A/V in MAN $ipt -t mangle -A POSTROUTING -m mark --mark 0x5 -o $EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:5 # chat in MAN $ipt -t mangle -A POSTROUTING -m mark --mark 0x3 -o $EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:3 # www in MAN $ipt -t mangle -A POSTROUTING -m mark --mark 0x6 -o $EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:8 # A/V in Internet $ipt -t mangle -A POSTROUTING -m mark --mark 0x4 -o $EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:6 # chat in Internet $ipt -t mangle -A POSTROUTING -m mark --mark 0x2 -o $EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:4 # www in Internet $ipt -t mangle -A POSTROUTING -m mark --mark 0x0 -o $EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:FF01 # bulk in Internet $ipt -t mangle -A POSTROUTING -m mark --mark 0x1 -o $EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:FF00 # bulk in MAN echo "filters - CLASSIFY $INT1 egress";date >~adminus/log/filtre.log;echo "filters - CLASSIFY $INT1 egress" >>~adminus/log/filtre.log echo " bulk clients";echo " bulk clients" >>~adminus/log/filtre.log NETWORK=192.168;NET=101;NETID=16 # edit this after copy-paste (this row downto done must be copied for each served network) ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don't edit # The first bit in class' MINOR is: 1 = metropolitan; 0 = Internet # The second bit in class' MINOR is: 1 = IP public; 0 = IP privat # Urmatorii 6 biti reprezinta NETID (class number) Atention: classes with MINOR from 1 to 6 are used by parents on $INT1, so NETID >= 7 !!! IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID] # don't edit hIDnet_PRIV=`printf "%x" $IDnet_PRIV`;hIDman_PRIV=`printf "%x" $IDman_PRIV`;hIDnet_PUB=`printf "%x" $IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #don't edit for IP in $( cat ~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v \# ); do # if IP = { 0 1 2 3 4 5 6 7 8 9 a b c d e f A B C D E F }; then IP=0$IP; fi hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP` $ipt -t mangle -A POSTROUTING -m mark --mark $MARK_NET -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDnet_PRIV$hIP # IP privat in $EXT1 Internet $ipt -t mangle -A POSTROUTING -m mark --mark $MARK_MAN -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDman_PRIV$hIP # IP privat in $EXT1 Metropolitan #$ipt -t mangle -A POSTROUTING -m mark --mark $MARK_NET -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDnet_PRIV$hIP # IP privat in $EXT2 Internet #$ipt -t mangle -A POSTROUTING -m mark --mark $MARK_MAN -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDman_PRIV$hIP # IP privat in $EXT2 Metropolitan $ipt -t mangle -A POSTROUTING -m mark --mark $MARK_NET -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDnet_PRIV$hIP # IP privat in $INT1 Internet $ipt -t mangle -A POSTROUTING -m mark --mark $MARK_MAN -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDman_PRIV$hIP # IP privat in $INT1 Metropolitan echo "$NETWORK.$NET.$IP $EXT1: net: 1:$hIDnet_PRIV$hIP man: 1:$hIDman_PRIV$hIP $INT1: net: 1:$hIDnet_PRIV$hIP man: 1:$hIDman_PRIV$hIP" >>~sorin/log/filtre.log done echo " special clients";echo " special clients" >>~sorin/log/filtre.log NETWORK=81.196;NET=157;NETID=63 # edit this after copy-paste (downto done is for every served network) ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # do not edit IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID] # do not edit hIDnet_PRIV=`printf "%x" $IDnet_PRIV`;hIDman_PRIV=`printf "%x" $IDman_PRIV`;hIDnet_PUB=`printf "%x" $IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` # do not edit for IP in $( cat ~adminus/etc/ip_local/pub_ips_on_int1.conf | grep -v \# ); do # if IP = { 0 1 2 3 4 5 6 7 8 9 a b c d e f A B C D E F }; then IP=0$IP; fi hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP` $ipt -t mangle -A POSTROUTING -m mark --mark $MARK_NET -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDnet_PUB$hIP # IP public in $EXT1 Internet $ipt -t mangle -A POSTROUTING -m mark --mark $MARK_MAN -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDman_PUB$hIP # IP public in $EXT1 Metropolitan #$ipt -t mangle -A POSTROUTING -m mark --mark $MARK_NET -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDnet_PUB$hIP #$ipt -t mangle -A POSTROUTING -m mark --mark $MARK_MAN -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hID_man_PUB$hIP $ipt -t mangle -A POSTROUTING -m mark --mark $MARK_NET -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDnet_PUB$hIP # IP public in $INT1 Internet $ipt -t mangle -A POSTROUTING -m mark --mark $MARK_MAN -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY --set-class 1:$hIDman_PUB$hIP # IP public in $INT1 Metropolitan echo "$NETWORK.$NET.$IP $EXT1: net: 1:$hIDnet_PUB$hIP man: 1:$hIDman_PUB$hIP $INT1: net: 1:$hIDnet_PUB$hIP man: 1:$hIDman_PUB$hIP" >>~sorin/log/filtre.log done echo "filters - CLASSIFY $INT2 egress" $ipt -t mangle -A POSTROUTING -m mark --mark 0x7 -o $INT2 -j CLASSIFY --set-class 1:7 $ipt -t mangle -A POSTROUTING -m mark --mark 0x5 -o $INT2 -j CLASSIFY --set-class 1:5 $ipt -t mangle -A POSTROUTING -m mark --mark 0x3 -o $INT2 -j CLASSIFY --set-class 1:3 $ipt -t mangle -A POSTROUTING -m mark --mark 0x6 -o $INT2 -j CLASSIFY --set-class 1:8 $ipt -t mangle -A POSTROUTING -m mark --mark 0x4 -o $INT2 -j CLASSIFY --set-class 1:6 $ipt -t mangle -A POSTROUTING -m mark --mark 0x2 -o $INT2 -j CLASSIFY --set-class 1:4 $ipt -t mangle -A POSTROUTING -m mark --mark 0x0 -o $INT2 -j CLASSIFY --set-class 1:FF01 $ipt -t mangle -A POSTROUTING -m mark --mark 0x1 -o $INT2 -j CLASSIFY --set-class 1:FF00 ### ### ### ### ### mangle ### ### ### ### ### ### PREROUTING ### $ipt -t mangle -F PREROUTING echo " creem MAN, QOS si CLIENT" $ipt -t mangle -X MAN $ipt -t mangle -X QOS $ipt -t mangle -N MAN $ipt -t mangle -N QOS $ipt -t mangle -Z MAN $ipt -t mangle -Z QOS $ipt -t mangle -A PREROUTING -j MAN $ipt -t mangle -A PREROUTING -j QOS ### QOS ### echo " TOS chat-ports" for PORT in $( cat ~sorin/etc/ports_qdisc_prio/chat_ports.conf | grep -v \# ); do $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS --set-tos Maximize-Reliability $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS --set-tos Minimize-Delay $ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK --set-mark 0x4 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p tcp --dport $PORT -j RETURN $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS --set-tos Maximize-Reliability $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS --set-tos Minimize-Delay $ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK --set-mark 0x4 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p tcp --sport $PORT -j RETURN $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS --set-tos Maximize-Reliability $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS --set-tos Minimize-Delay $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK --set-mark 0x4 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p udp --dport $PORT -j RETURN $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS --set-tos Maximize-Reliability $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS --set-tos Minimize-Delay $ipt -t mangle -A QOS -p udp --sport $PORT -j MARK --set-mark 0x4 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p udp --sport $PORT -j RETURN done echo " TOS audio-video ports" for PORT in $( cat ~sorin/etc/ports_qdisc_prio/av_ports.conf | grep -v \# ); do $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS --set-tos Minimize-Delay $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS --set-tos Maximize-Throughput $ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK --set-mark 0x6 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p tcp --dport $PORT -j RETURN $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS --set-tos Minimize-Delay $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS --set-tos Maximize-Throughput $ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK --set-mark 0x6 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p tcp --sport $PORT -j RETURN $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS --set-tos Minimize-Delay $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS --set-tos Maximize-Throughput $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK --set-mark 0x6 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p udp --dport $PORT -j RETURN $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS --set-tos Minimize-Delay $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS --set-tos Maximize-Throughput $ipt -t mangle -A QOS -p udp --sport $PORT -j MARK --set-mark 0x6 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p udp --sport $PORT -j RETURN done echo " TOS www ports" for PORT in $( cat ~sorin/etc/ports_qdisc_prio/www_ports.conf | grep -v \# ); do $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS --set-tos Maximize-Throughput $ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK --set-mark 0x2 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p tcp --dport $PORT -j RETURN $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS --set-tos Maximize-Throughput $ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK --set-mark 0x2 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p tcp --sport $PORT -j RETURN $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS --set-tos Maximize-Throughput $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK --set-mark 0x2 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p udp --dport $PORT -j RETURN $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS --set-tos Maximize-Throughput $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK --set-mark 0x2 $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p udp --sport $PORT -j RETURN done echo " TOS tcp flags" $ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j MARK --set-mark 0x6 $ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j TOS --set-tos Minimize-Delay $ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j TOS --set-tos Maximize-Throughput $ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j TOS --set-tos Maximize-Reliability $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j RETURN $ipt -t mangle -A QOS -j CONNMARK --save-mark $ipt -t mangle -A QOS -p ALL -j RETURN ### MAN ### echo " MAN mark man (order a pizza and eat till I finish this)" for PEER_IP in $( cat ~sorin/etc/ip_internet/peer_ips.conf | grep -v \# ); do $ipt -t mangle -A MAN -d $PEER_IP -j MARK --set-mark $MARK_MAN $ipt -t mangle -A MAN -j CONNMARK --restore-mark --mask 0xfffe $ipt -t mangle -A MAN -d $PEER_IP -j RETURN $ipt -t mangle -A MAN -s $PEER_IP -j MARK --set-mark $MARK_MAN $ipt -t mangle -A MAN -j CONNMARK --restore-mark --mask 0xfffe $ipt -t mangle -A MAN -s $PEER_IP -j RETURN done echo " MAN mark net" $ipt -t mangle -A MAN -d 0.0.0.0/0 -j MARK --set-mark $MARK_NET $ipt -t mangle -A MAN -j CONNMARK --restore-mark --mask 0xfffe $ipt -t mangle -A MAN -d 0.0.0.0/0 -j RETURN $ipt_s >~adminus/bin/marks ### POSTROUTING ### if [ -x /mnt/usb/tc-restore ]; then /mnt/usb/tc-restore cp /mnt/usb/tc-restore ~sorin/bin/ else ~sorin/bin/tc-restore fi # each IP has its own class ### ### ### ### ### filter ### ### ### ### ### ### INPUT ### echo "INPUT" # TODO: Use ~adminus/etc/ports_input_allowed, use -m mport --port for both direction ports if they *ARE* equal $ipt -t filter -P INPUT DROP $ipt -t filter -A INPUT -i lo -j ACCEPT $ipt -t filter -A INPUT -p tcp --sport 0:1023 -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -t filter -A INPUT -i lo -j ACCEPT $ipt -t filter -A INPUT -p tcp --tcp-flags ACK ACK -j ACCEPT $ipt -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT $ipt -t filter -A INPUT -m state --state RELATED -j ACCEPT $ipt -t filter -A INPUT -p udp --dport 1024:65535 --sport 53 -j ACCEPT $ipt -t filter -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT $ipt -t filter -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $ipt -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT $ipt -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $ipt -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT $ipt -t filter -A INPUT -p tcp -m state ! --state NEW --sport 0:1023 -j ACCEPT $ipt -t filter -A INPUT -p udp --sport 0:1023 -j ACCEPT $ipt -t filter -A INPUT -p tcp --dport ssh -j ACCEPT $ipt -t filter -A INPUT -p tcp --dport auth -j ACCEPT $ipt -t filter -A INPUT -p tcp --dport ftp -j ACCEPT $ipt -t filter -A INPUT -p tcp --dport rmt -j ACCEPT $ipt -t filter -A INPUT -p udp --dport rmt -j ACCEPT $ipt -t filter -A INPUT -p tcp --dport ftp-data -j ACCEPT $ipt -t filter -A INPUT -p udp --dport time -j ACCEPT $ipt -t filter -A INPUT -p tcp --dport http -j ACCEPT $ipt -t filter -A INPUT -p icmp -m limit --icmp-type echo-request --limit 3/second --limit-burst 1000 -j ACCEPT $ipt -t filter -A INPUT -p tcp ! -i lo --sport 2049:2050 -j DROP $ipt -t filter -A INPUT -p tcp ! -i lo --dport 2049:2050 -j DROP $ipt -t filter -A INPUT -p tcp ! -i lo --sport 6000:6063 -j DROP $ipt -t filter -A INPUT -p tcp ! -i lo --dport 6000:6063 -j DROP $ipt -t filter -A INPUT -p tcp ! -i lo --sport 7000:7010 -j DROP $ipt -t filter -A INPUT -p tcp ! -i lo --dport 7000:7010 -j DROP $ipt -t filter -A INPUT -p tcp --sport 1024:65535 -j ACCEPT $ipt -t filter -A INPUT -p tcp --dport 1024:65535 -j ACCEPT $ipt -t filter -A INPUT -p udp --sport 1024:65535 -j ACCEPT $ipt -t filter -A INPUT -p udp --dport 1024:65535 -j ACCEPT ### FORWARD ### echo "FORWARD" $ipt -t filter -P FORWARD DROP $ipt -t filter -A FORWARD -i lo -j ACCEPT $ipt -t filter -A FORWARD -o lo -j ACCEPT echo " ip/mac ACCEPT" ~sorin/bin/mac.sh $ipt -t filter -A FORWARD -o $INT1 -d $INT1Net/$INT1Mask -j ACCEPT $ipt -t filter -A FORWARD -i $INT2 -s $INT2Net/$INT2Mask -j ACCEPT $ipt -t filter -A FORWARD -o $INT2 -d $INT2Net/$INT2Mask -j ACCEPT $ipt -t filter -A FORWARD -i $EXT1 -o $INT1 -j ACCEPT $ipt -t filter -A FORWARD -i $EXT1 -o $INT2 -m state --state ESTABLISHED,RELATED -j ACCEPT $ipt -t filter -A FORWARD -i $INT1 -o $INT2 -j ACCEPT $ipt -t filter -A FORWARD -i $INT2 -o $INT1 -j ACCEPT #$ipt -t filter -A FORWARD -i $INT1 -o $EXT1 -j ACCEPT # Se face pe mac address $ipt -t filter -A FORWARD -i $INT2 -o $EXT1 -j ACCEPT echo " connection/port ACCEPT/DROP" #$ipt -t filter -A FORWARD -f -j ACCEPT $ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 128 $ipt -t filter -A FORWARD -i ! $INT1 -s $INT1Net/$INT1Mask -j DROP $ipt -t filter -A FORWARD -i ! $INT2 -s $INT2Net/$INT2Mask -j DROP $ipt -t filter -A FORWARD -p icmp -d $INT1Bcast -j DROP $ipt -t filter -A FORWARD -p icmp -d $INT2Bcast -j DROP $ipt -t filter -A FORWARD -p tcp --syn -m limit --limit 10/s -j ACCEPT $ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 10/s -j ACCEPT $ipt -t filter -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 3/s -j ACCEPT $ipt -t filter -A FORWARD -p icmp --icmp-type echo-reply -m limit --limit 3/s -j ACCEPT $ipt -t filter -A FORWARD -p udp --sport 53 -j ACCEPT $ipt -t filter -A FORWARD -p udp --dport 53 -j ACCEPT $ipt -t filter -A FORWARD -p tcp --dport 139 -j DROP $ipt -t filter -A FORWARD -p tcp --dport 445 -j DROP ### OUTPUT ### echo "OUTPUT" $ipt -t filter -P OUTPUT ACCEPT echo "Preparing for reboot... (iptables-save)" /usr/sbin/iptables-save >/home/adminus/iptables A/V ports:531 554 583 7070 1754:1755 1397:1398 1516 1518 2232 4444 5555 5713:5714 6000 6010 CHAT ports: 53 5050 1863 113 529 994 6660:6667 7000 63 5190:5193 22 23 992 37 123 21 990 1517 1519 2103:2105 5222 5269 5715:5717 WWW ports (and games): 80 443 280 488 25 109:110 995 143 220 993 516 532 563 631 901 666 4557 4559 27005 27015 __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
