Re: Too slow computer?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanck you for your help!
I noticed the ipset tools and I tried to use the
CONNMARK but I don't know how to verify if bitwise
manipulation works. The IP list is random and the
router is an Athlon at 1200 MHz with 64 MB of SDRAM
and a PIO mode 4 harddisk.
After marking for destination, the packets are marked
for priorization. I tried to use the dsmark and some
ingress policing but I've faild to understand how they
work. Also I'm in a hurry and I try to use what I know
for now. Since I have to shape for two speeds, now
I've discovered the --limit filter in iptables and I
try to match packets based on their speeds.
Each connected client has its own class on dev eth1.
There are 38 clients now. On eth2 I shape based on
connection ports. Audio/video, chat and interactive
traffic (and connection control packets) have higher
priority. Here are my script and configuration files
(is best viewd unwraped with kwrite):

#!/bin/bash
 ### firewall.sh ###

# firewall 
# TODO: make a README for admin-users, how to add
#        clients with public and privat IPs from dhcpd
and metropolitan addresses
#        use ipset for address and port grouping
#        boost speeds, ports forward, etc.
# http://gentoo-wiki.com/HOWTO_Packet_Shaping
# http://lartc.org/howto
# http://linuxgazette.net/103/odonovan.html
# http://www.netfilter.org/documentation/
# http://www.knowplace.org/shaper/
# http://linux-ip.net/articles/Traffic-Control-HOWTO/
#
http://howtos.linux.com/howtos/Traffic-Control-HOWTO/intro.shtml
# http://andthatsjazz.org:8/lartc/


# programs
ip=/usr/sbin/ip
ipt=/usr/sbin/iptables
ipt_s=/usr/sbin/iptables-save
ipt_r=/usr/sbin/iptables-restore
ips=/usr/sbin/ipset
tc=/usr/sbin/tc

# interfaces
EXT1=eth0
EXT1IP=first external IP
GW1=our gateway's IP
NetP1=our ISP's local network
# 64 public space addresses
PUB1Min=first usable public IP
PUB1Max=last usable public IP

#EXT2=
#EXT1IP=
#GW2=
#NetP2=

INT1=eth1
INT1IP=192.168.101.1
INT1Mask=255.255.255.0
INT1Bcast=public space broadcast address (not in ISP's
LAN)
INT1Net=192.168.101.255

INT2=eth2
INT2IP=10.0.0.1
INT2Mask=255.255.255.0
INT2Bcast=10.0.0.255
INT2Net=10.0.0.0

# markers
MARK_NET=0x0 # packets for Internet
MARK_MAN=0x1 # packets for Metropolitan


# interfaces' aliasses
NETWORK=81.196.157;DEV=eth0
ip address add 172.22.3.112 dev eth0
for IP in $( cat
~adminus/etc/ip_internet/ext1_aliases.conf | grep -v
\# ); do
        $ip addr del $NETWORK.$IP/32 dev $DEV
2>/dev/null >/dev/null
  done
for IP in $( cat
~adminus/etc/ip_internet/ext1_aliases.conf | grep -v
\# ); do
        $ip addr add $NETWORK.$IP/26 brd $NETWORK.255
dev $DEV 
  done
echo " 2. Proxy ARP" 
# proxy ARP
echo 1 >/proc/sys/net/ipv4/conf/$EXT1/proxy_arp
#echo 1 >/proc/sys/net/ipv4/conf/$EXT2/proxy_arp
echo 1 >/proc/sys/net/ipv4/conf/$INT1/proxy_arp
#echo 1 >/proc/sys/net/ipv4/conf/$INT1/proxy_arp
for IP in $( cat
~adminus/etc/ip_local/pub_ips_on_int1.conf | grep -v
\# ); do
    $ip route del $IP dev $INT1 2>/dev/null >/dev/null
    $ip route add $IP dev $INT1 
  done
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
    $ip route del $IP dev $INT2 2>/dev/null >/dev/null
    $ip route add $IP dev $INT2 
  done

$ipt -t raw    -F
$ipt -t nat    -F
$ipt -t mangle -F
$ipt -t filter -F



 ### ### ###
 ### raw ###
 ### ### ###

 ### ### ###
 ### nat ###
 ### ### ###

 ### PREROUTING ###
#$ipt -t nat -A PREROUTING -i $INT1 -p tcp --dport 80
-j REDIRECT --to-port 3128
echo " forward ports (5 ports/IP)"
NETWORK=192.168.101;NETID1=21;NETID2=22;NETID3=23;NETID4=24;NETID5=25;
# 20 <= NETID <= 65
for IP in $( cat ~adminus/etc/portfwd.conf | grep -v
\# ); do
  $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID1$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID1$IP
  $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID2$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID2$IP
  $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID3$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID3$IP
  $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID4$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID4$IP
  $ipt -t nat -A PREROUTING -d $EXT1IP -p tcp -m tcp
--dport $NETID5$IP -j DNAT --to-destination
$NETWORK.$IP:$NETID5$IP
done

 ### POSTROUTING ###
echo " nat POSTROUTING" 
#$ipt -t nat -A POSTROUTING -s $INT2Net/$INT2Mask -j
MASQUERADE --to-ports 20000:30000
$ipt -t nat -A POSTROUTING -s $INT1Net/$INT1Mask -o
$EXT1 -j SNAT --to-source $PUB1Min-$PUB1Max
$ipt -t nat -A POSTROUTING -s $INT2Net/$INT2Mask -o
$EXT1 -j SNAT --to-source $PUB1Min-$PUB1Max
$ipt -t nat -A POSTROUTING -s 10.0.0.100 -j SNAT
--to-source 81.196.157.200
$ipt -t nat -A POSTROUTING -s 10.0.0.99  -j SNAT
--to-source 81.196.157.200

 ### ###  ### ###
 ###  mangle  ###
 ### ###  ### ###

echo " mangle"

 ### PREROUTING ###
# mark for QOS
cat ~adminus/bin/marks | $ipt_r
~adminus/bin/mac.sh

 ### ###  ### ###
 ###  qdiscs  ###
 ### ###  ### ###                                     
 
# building traffic classes and ingress filters
# speeds
ROOT_NET_RATE=500kbit
ROOT_NET_CEIL=$ROOT_NET_RATE
BULK_NET_RATE=1kbit
BULK_NET_CEIL=128kbit
ROOT_MAN_RATE=95Mbit
ROOT_MAN_CEIL=$BULK_NET_RATE
BULK_MAN_RATE=512kbit
BULK_MAN_CEIL=90Mbit

# markers
MARK_NET=0x0 # Internet packet
MARK_MAN=0x1 # Metropolitan packet

echo " qdisc del" 
 $tc qdisc del dev $EXT1 ingress 2>/dev/null
>/dev/null
#$tc qdisc del dev $EXT2 ingress 2>/dev/null
>/dev/null
 $tc qdisc del dev $INT1 ingress 2>/dev/null
>/dev/null
 $tc qdisc del dev $INT2 ingress 2>/dev/null
>/dev/null
 $tc qdisc del dev $EXT1 root    2>/dev/null
>/dev/null
#$tc qdisc del dev $EXT2 root    2>/dev/null
>/dev/null
 $tc qdisc del dev $INT1 root    2>/dev/null
>/dev/null
 $tc qdisc del dev $INT2 root    2>/dev/null
>/dev/null

echo " qdisc add EXT1 egress "
$tc qdisc add dev $EXT1 root handle 1: htb default
FF01 
echo "  Internet-caffe"
$tc class add dev $EXT1 parent 1:  classid 1:1 htb
rate 500kbit ceil 500kbit # Internet
$tc class add dev $EXT1 parent 1:  classid 1:2 htb
rate  95Mbit ceil  95Mbit # Metropolitan
$tc class add dev $EXT1 parent 1:1 classid 1:7 htb
rate 140kbit ceil 500kbit prio 2 # a/v  net trafic
$tc class add dev $EXT1 parent 1:1 classid 1:5 htb
rate  50kbit ceil 500kbit prio 2 # chat net trafic
$tc class add dev $EXT1 parent 1:1 classid 1:3 htb
rate 100kbit ceil 500kbit prio 2 # www  net trafic
$tc class add dev $EXT1 parent 1:2 classid 1:8 htb
rate  35Mbit ceil  90Mbit prio 2 # a/v  man trafic
$tc class add dev $EXT1 parent 1:2 classid 1:6 htb
rate   5Mbit ceil  90Mbit prio 2 # chat man trafic
$tc class add dev $EXT1 parent 1:2 classid 1:4 htb
rate  20Mbit ceil  90Mbit prio 2 # www  man trafic
$tc class add dev $EXT1 parent 1:1 classid 1:FF01 htb
rate 10kbit ceil 500kbit prio 3 # bulk net trafic
$tc class add dev $EXT1 parent 1:2 classid 1:FF00 htb
rate 30Mbit ceil  90Mbit prio 3 # bulk man trafic
$tc qdisc add dev $EXT1 parent 1:FF01 handle 2: sfq
perturb 10
$tc qdisc add dev $EXT1 parent 1:FF00 handle 3: sfq
perturb 10
echo "qdisc add $EXT1 ingress"
$tc qdisc  add dev $EXT1 ingress
# Metropolitan ingress
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 0 handle 7 fw police rate  10Mbps burst 16k
continue flowid :1 # A/V  in MAN
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 1 handle 5 fw police rate  10Mbps burst 16k
continue flowid :1 # chat in MAN
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 2 handle 3 fw police rate  10Mbps burst 16k
continue flowid :1 # www  in MAN
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 4 handle 1 fw police rate  90Mbps burst 16k
continue flowid :1 # bulk in MAN
echo "CLIENTS";date >~adminus/log/clase_eth0.log;echo
"CLIENTS" >>~adminus/log/clase_eth0.log
$tc class add dev $EXT1 parent 1:1 classid 1:9  htb
rate 140kbit ceil 500kbit prio 2 # bulk clients' net
$tc class add dev $EXT1 parent 1:1 classid 1:10 htb
rate  20Mbit ceil  90Mbit prio 2 # bulk clients'
M.A.N.
$tc class add dev $EXT1 parent 1:1 classid 1:11 htb
rate 140kbit ceil 500kbit prio 1 # special clients'
net
$tc class add dev $EXT1 parent 1:1 classid 1:12 htb
rate  20Mbit ceil  90Mbit prio 1 # special clients'
M.A.N.
echo "  bulk clients' classes";echo "  bulk clients'
classes" >>~adminus/log/clase_eth0.log
NETWORK=192.168;NET=101;NETID=16 # edit this after
copy-paste
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don't edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't  edit
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
    hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
    $tc class add dev $EXT1 parent 1:9  classid
1:$hIDnet_PRIV$hIP htb rate $BULK_NET_RATE ceil
$BULK_NET_CEIL prio 3
    $tc class add dev $EXT1 parent 1:10 classid
1:$hIDman_PRIV$hIP htb rate $BULK_MAN_RATE ceil
$BULK_MAN_CEIL prio 3
        echo "$EXT1: $NETWORK.$NET.$IP         net
(1:9): 1:$hIDnet_PRIV$hIP   min: $BULK_NET_RATE  max:
$BULK_NET_CEIL    man (1:10): 1:$hIDman_PRIV$hIP  
min: $BULK_MAN_RATE  max: $BULK_MAN_CEIL"
>>~adminus/log/clase_eth0.log
  done
echo "  special clients' classes";echo "  special
clients' classes" >>~sorin/log/clase_eth0.log
echo "     ip-uri private";echo "     private IPs"
>>~adminus/log/clase_eth0.log
NETWORK=192.168;NET=101;NETID=16 # edit this after
copy-paste; 16 < NETID < 192; NETID = network's
criterium number;
# Set different NETIDs for all private or public
networks; you can set the same NETID for one private
network and one public network
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don't edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't edit
 IP=2 # 192.168.101.002 FOCUS DESIGN
 echo "$EXT1: $NETWORK.$NET.$IP         net (1:11):
1:$hIDnet_PRIV$hIP   min: 64kbit  max: 256kbit    man
(1:12): 1:$hIDman_PRIV$hIP   min: 768kbit  max:
90Mbit" >>~adminus/log/clase_eth0.log
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
 $tc class replace dev $EXT1 parent 1:11 classid
1:$hIDnet_PRIV$hIP htb rate  64kbit ceil 256kbit prio
2 # replace because the class' ID (handle) exists from
the previous network
 $tc class replace dev $EXT1 parent 1:12 classid
1:$hIDman_PRIV$hIP htb rate 768kbit ceil  90Mbit prio
2 # replace because the class' ID (handle) exists from
the previous network
echo "     ip-uri publice";echo "     public IPs"
>>~adminus/log/clase_eth0.log
NETWORK=81.196;NET=157;NETID=63 # edit this after
copy-paste
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # astea nu le
edita
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't edit
IP=253 #  81.196.157.253 VIDEO CHAT
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
        echo "$EXT1: $NETWORK.$NET.$IP         net
(1:11): 1:$hIDnet_PUB$hIP   min: 64kbit  max: 256kbit 
  man (1:12) 1:$hIDman_PUB$hIP   min: 768kbit  max:
90Mbit" >>~adminus/log/clase_eth0.log
 $tc class add dev $EXT1 parent 1:11 classid
1:$hIDnet_PUB$hIP htb rate  64kbit ceil 256kbit prio 1
 $tc class add dev $EXT1 parent 1:12 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil  90Mbit prio 1
IP=254 #  81.196.157.254 VIDEO CHAT
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
        echo "$EXT1: $NETWORK.$NET.$IP         net
(1:11): 1:$hIDnet_PUB$hIP   min: 64kbit  max: 256kbit 
  man (1:12) 1:$hIDman_PUB$hIP    min: 768kbit  max:
90Mbit" >>~adminus/log/clase_eth0.log
 $tc class add dev $EXT1 parent 1:11 classid
1:$hIDnet_PUB$hIP htb rate  64kbit ceil 256kbit prio 1
 $tc class add dev $EXT1 parent 1:12 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil  90Mbit prio 1
# Internet ingress
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 0 handle 6 fw police rate 190kbps burst 16k drop
flowid :1 # A/V  in Internet
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 1 handle 4 fw police rate  62kbps burst 32k drop
flowid :1 # chat in Internet
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 2 handle 2 fw police rate 126kbps burst 64k drop
flowid :1 # www  in Internet
#$tc filter add dev $EXT1 parent FFFF: protocol ip
prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit
burst 1k drop flowid :1 # bulk in Internet

echo " qdisc add INT1 ingress" 
#$tc qdisc  add dev $INT1 ingress 
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 0 handle 0x7 fw flowid :1 police rate  10Mbps
burst 16k continue # A/V  in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 1 handle 0x5 fw flowid :1 police rate  10Mbps
burst 16k continue # chat in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 2 handle 0x3 fw flowid :1 police rate  10Mbps
burst 16k continue # www  in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 4 handle 0x1 fw flowid :1 police rate  95Mbps
burst 16k continue # bulk in MAN
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 0 handle 0x6 fw flowid :1 police rate 190kbps
burst 16k continue # A/V  in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 1 handle 0x4 fw flowid :1 police rate  62kbps
burst 32k continue # chat in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 2 handle 0x2 fw flowid :1 police rate 126kbps
burst 64k continue # www  in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit
burst 1k drop flowid :1 # bulk in Internet
echo " qdisc add INT1 egress"
$tc qdisc add dev $INT1 root handle 1: htb default
FF01
$tc class add dev $INT1 parent 1:  classid 1:1    htb
rate 250kbit ceil 500kbit # class Internet
$tc class add dev $INT1 parent 1:  classid 1:2    htb
rate  45Mbit ceil  90Mbit # class Metropolitan
$tc class add dev $INT1 parent 1:1 classid 1:3    htb
rate 125kbit ceil 500kbit # class bulk-clients
Internet
$tc class add dev $INT1 parent 1:2 classid 1:4    htb
rate  22Mbit ceil  90Mbit # class bulk-clients
Metropolitan
$tc class add dev $INT1 parent 1:1 classid 1:5    htb
rate 125kbit ceil 500kbit # class special-clients
Internet
$tc class add dev $INT1 parent 1:2 classid 1:6    htb
rate  22Mbit ceil  90Mbit # class special-clients
Metropolitan
$tc class add dev $INT1 parent 1:  classid 1:FF01 htb
rate   1kbit ceil 500kbit # class bulk-traffic
Internet
$tc class add dev $INT1 parent 1:  classid 1:FF00 htb
rate   1kbit ceil  90Mbit # class bulk-traffic
Metropolitan
$tc qdisc add dev $INT1 parent 1:FF01 handle 2: sfq
perturb 10 # Stochastic Fairness for bulk traffic in
Internet
$tc qdisc add dev $INT1 parent 1:FF00 handle 3: sfq
perturb 10 # Stochastic Fairness for bulk traffic in
Metropolitan
echo "CLIENTS";date >~adminus/log/clase_eth1.log;echo
"CLIENTI" >>~adminus/log/clase_eth1.log
echo "  bulk clients";echo "  bulk clients"
>>~adminus/log/clase_eth1.log
NETWORK=192.168;NET=101;NETID=16 # edit this after
copy-paste
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don't edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't  edit
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
    hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
    $tc class add dev $INT1 parent 1:3 classid
1:$hIDnet_PRIV$hIP htb rate $BULK_NET_RATE ceil
$BULK_NET_CEIL prio 3 # bulk clients' speed in
Internet
    $tc class add dev $INT1 parent 1:4 classid
1:$hIDman_PRIV$hIP htb rate $BULK_MAN_RATE ceil
$BULK_MAN_CEIL prio 3 # bulk clients' speed in
Metropolitan
        echo "$INT1: $NETWORK.$NET.$IP         net
(1:3):   1:$hIDnet_PRIV$hIP   min: $BULK_NET_RATE 
max: $BULK_NET_CEIL          man (1:4):
1:$hIDman_PRIV$hIP   min: $BULK_MAN_RATE  max:
$BULK_MAN_CEIL" >>~sorin/log/clase_eth1.log
  done
echo "  special clients" >>~adminus/log/clase_eth1.log
echo "     privat IPs" >>~adminus/log/clase_eth1.log
NETWORK=192.168;NET=101;NETID=16 # edit this after
copy-paste 
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # astea nu le
edita
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't edit
 IP=2 # 192.168.101.002 FOCUS DESIGN
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
 $tc class replace dev $INT1 parent 1:5 classid
1:$hIDnet_PRIV$hIP htb rate  64kbit ceil 256kbit prio
2 # speed for client FOCUS DESIGN in Internet
 $tc class replace dev $INT1 parent 1:6 classid
1:$hIDman_PRIV$hIP htb rate 768kbit ceil  90Mbit prio
2 # speed for client FOCUS DESIGN in Metropolitan
        echo "$INT1: $NETWORK.$NET.$IP         net
(1:5):   1:$hIDnet_PRIV$hIP   min: 64kbit  max:
256kbit          man (1:6):   1:$hIDman_PRIV$hIP  
min: 768kbit  max: 90Mbit"
>>~adminus/log/clase_eth1.log
echo "     public IPs" >>~adminus/log/clase_eth1.log
NETWORK=81.196;NET=157;NETID=63 # edit this after
copy-paste (this and the next 3 rows are must be
copied for each used ip in the above network)
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don't edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #
don't edit
IP=253 #  81.196.157.253 VIDEO CHAT 1 (this and the
next 3 rows are must be copied for each used ip in the
above network)
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
 $tc class add dev $INT1 parent 1:5 classid
1:$hIDnet_PUB$hIP htb rate  64kbit ceil 256kbit prio 1
# speed for client VIDEO CHAT 1 in Internet
 $tc class add dev $INT1 parent 1:6 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil  90Mbit prio 1
# speed for client VIDEO CHAT 1 in Metropolitan
        echo "$INT1: $NETWORK.$NET.$IP         net
(1:5):   1:$hIDnet_PUB$hIP   min: 64kbit  max: 256kbit
         man (1:6)   1:$hIDman_PUB$hIP   min: 768kbit 
max: 90Mbit" >>~adminus/log/clase_eth1.log
IP=254 #  81.196.157.254 VIDEO CHAT 2 (this and the
next 3 rows are must be copied for each used ip in the
above network)
 hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
 $tc class add dev $INT1 parent 1:5 classid
1:$hIDnet_PUB$hIP htb rate  64kbit ceil 256kbit prio 1
# speed for client VIDEO CHAT 2 in Internet
 $tc class add dev $INT1 parent 1:6 classid
1:$hIDman_PUB$hIP htb rate 768kbit ceil  90Mbit prio 1
# speed for client VIDEO CHAT 2 in Metropolitan
        echo "$INT1: $NETWORK.$NET.$IP         net
(1:5):   1:$hIDnet_PUB$hIP   min: 64kbit  max: 256kbit
         man (1:6)   1:$hIDman_PUB$hIP   min: 768kbit 
max: 90Mbit" >>~adminus/log/clase_eth1.log
echo "CLIENTS done."

echo " qdisc add INT2 root "
$tc qdisc add dev $INT2 root handle 1: htb default
FF01 
$tc class add dev $INT2 parent 1:  classid 1:1 htb
rate 500kbit ceil 500kbit
$tc class add dev $INT2 parent 1:  classid 1:2 htb
rate  95Mbit ceil 95Mbit
$tc class add dev $INT2 parent 1:1 classid 1:7   htb
rate 140kbit ceil 500kbit prio 0 # a/v  net trafic
$tc class add dev $INT2 parent 1:1 classid 1:5   htb
rate  50kbit ceil 500kbit prio 0 # chat net trafic
$tc class add dev $INT2 parent 1:1 classid 1:3   htb
rate 100kbit ceil 500kbit prio 0 # www  net trafic
$tc class add dev $INT2 parent 1:2 classid 1:8   htb
rate  35Mbit ceil  90Mbit prio 0 # a/v  man trafic
$tc class add dev $INT2 parent 1:2 classid 1:6   htb
rate   5Mbit ceil  90Mbit prio 0 # chat man trafic
$tc class add dev $INT2 parent 1:2 classid 1:4   htb
rate  20Mbit ceil  90Mbit prio 0 # www  man trafic
$tc class add dev $INT2 parent 1:1 classid 1:FF01 htb
rate 10kbit ceil 500kbit prio 3 # bulk net trafic
$tc class add dev $INT2 parent 1:2 classid 1:FF00 htb
rate 30Mbit ceil  90Mbit prio 3 # bulk man trafic
$tc qdisc add dev $INT2 parent 1:FF01 handle 2: sfq
perturb 10
$tc qdisc add dev $INT2 parent 1:FF00 handle 3: sfq
perturb 10
echo " qdisc add INT2 ingress"
$tc qdisc  add dev $INT2 ingress 
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 0 handle 0x7 fw flowid :1 police rate  10Mbps
burst 16k drop # A/V  in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 1 handle 0x5 fw flowid :1 police rate  10Mbps
burst 16k drop # chat in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 2 handle 0x3 fw flowid :1 police rate  10Mbps
burst 16k drop # www  in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 4 handle 0x1 fw flowid :1 police rate  95Mbps
burst 16k drop # bulk in MAN
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 0 handle 0x6 fw flowid :1 police rate 190kbps
burst 16k drop # A/V  in Internet
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 1 handle 0x4 fw flowid :1 police rate  62kbps
burst 32k drop # chat in Internet
#$tc filter add dev $INT2 parent FFFF: protocol ip
prio 2 handle 0x2 fw flowid :1 police rate 126kbps
burst 64k drop # www  in Internet
#$tc filter add dev $INT1 parent FFFF: protocol ip
prio 3 u32 match ip dst 0.0.0.0/0 police rate 126kbit
burst 1k drop flowid :1 # bulk in Internet

 ### POSTROUTING ###
echo "POSTROUTING"
echo "filters - CLASSIFY $EXT1 egress"

$ipt -t mangle -F POSTROUTING

$ipt -t mangle -A POSTROUTING -m mark --mark 0x7 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:7 # A/V
 in MAN
$ipt -t mangle -A POSTROUTING -m mark --mark 0x5 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:5 #
chat in MAN
$ipt -t mangle -A POSTROUTING -m mark --mark 0x3 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:3 # www
 in MAN
$ipt -t mangle -A POSTROUTING -m mark --mark 0x6 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:8 # A/V
 in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x4 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:6 #
chat in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x2 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:4 # www
 in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x0 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:FF01 #
bulk in Internet
$ipt -t mangle -A POSTROUTING -m mark --mark 0x1 -o
$EXT1 -s 10.0.0.0/24 -j CLASSIFY --set-class 1:FF00 #
bulk in MAN

echo "filters - CLASSIFY $INT1 egress";date
>~adminus/log/filtre.log;echo "filters - CLASSIFY
$INT1 egress" >>~adminus/log/filtre.log
echo "  bulk clients";echo "  bulk clients"
>>~adminus/log/filtre.log
NETWORK=192.168;NET=101;NETID=16 # edit this after
copy-paste (this row downto done must be copied for
each served network)
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # don't edit
# The first bit in class' MINOR is: 1 = metropolitan;
0 = Internet
# The second bit in class' MINOR is: 1 = IP public; 0
= IP privat
# Urmatorii 6 biti reprezinta NETID (class number)
Atention: classes with MINOR from 1 to 6 are used by
parents on $INT1, so NETID >= 7 !!!
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# don't edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` #don't
edit
for IP in $( cat
~adminus/etc/ip_local/priv_ips_on_int1.conf | grep -v
\# ); do
 #   if IP = { 0 1 2 3 4 5 6 7 8 9 a b c d e f A B C D
E F }; then IP=0$IP; fi
    hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PRIV$hIP # IP privat in $EXT1
Internet
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PRIV$hIP # IP privat in $EXT1
Metropolitan 
    #$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PRIV$hIP # IP privat in $EXT2
Internet
    #$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PRIV$hIP # IP privat in $EXT2
Metropolitan
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PRIV$hIP # IP privat in $INT1
Internet
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PRIV$hIP # IP privat in $INT1
Metropolitan
        echo "$NETWORK.$NET.$IP         $EXT1:   net:
1:$hIDnet_PRIV$hIP   man: 1:$hIDman_PRIV$hIP      
$INT1:   net: 1:$hIDnet_PRIV$hIP   man:
1:$hIDman_PRIV$hIP" >>~sorin/log/filtre.log
  done
echo "  special clients";echo "  special clients"
>>~sorin/log/filtre.log
NETWORK=81.196;NET=157;NETID=63 # edit this after
copy-paste (downto done is for every served network)
ID_NET=0;ID_MAN=128;ID_PRIV=0;ID_PUB=64 # do not edit
IDnet_PRIV=$[$ID_NET+$ID_PRIV+$NETID];IDman_PRIV=$[$ID_MAN+$ID_PRIV+$NETID];IDnet_PUB=$[$ID_NET+$ID_PUB+$NETID];IDman_PUB=$[$ID_MAN+$ID_PUB+$NETID]
# do not edit
hIDnet_PRIV=`printf "%x"
$IDnet_PRIV`;hIDman_PRIV=`printf "%x"
$IDman_PRIV`;hIDnet_PUB=`printf "%x"
$IDnet_PUB`;hIDman_PUB=`printf "%x" $IDman_PUB` # do
not edit
for IP in $( cat
~adminus/etc/ip_local/pub_ips_on_int1.conf | grep -v
\# ); do
#    if IP = { 0 1 2 3 4 5 6 7 8 9 a b c d e f A B C D
E F }; then IP=0$IP; fi
    hNET=`printf "%x" $NET`;hIP=`printf "%x" $IP`
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PUB$hIP # IP public in $EXT1
Internet
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT1 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PUB$hIP # IP public in $EXT1
Metropolitan
    #$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PUB$hIP 
    #$ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $EXT2 -s $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hID_man_PUB$hIP 
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_NET -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDnet_PUB$hIP # IP public in $INT1
Internet
    $ipt -t mangle -A POSTROUTING -m mark --mark
$MARK_MAN -o $INT1 -d $NETWORK.$NET.$IP -j CLASSIFY
--set-class 1:$hIDman_PUB$hIP # IP public in $INT1
Metropolitan
        echo "$NETWORK.$NET.$IP         $EXT1:   net:
1:$hIDnet_PUB$hIP   man: 1:$hIDman_PUB$hIP      
$INT1:   net: 1:$hIDnet_PUB$hIP   man:
1:$hIDman_PUB$hIP" >>~sorin/log/filtre.log
  done

echo "filters - CLASSIFY $INT2 egress"
$ipt -t mangle -A POSTROUTING -m mark --mark 0x7 -o
$INT2 -j CLASSIFY --set-class 1:7
$ipt -t mangle -A POSTROUTING -m mark --mark 0x5 -o
$INT2 -j CLASSIFY --set-class 1:5
$ipt -t mangle -A POSTROUTING -m mark --mark 0x3 -o
$INT2 -j CLASSIFY --set-class 1:3
$ipt -t mangle -A POSTROUTING -m mark --mark 0x6 -o
$INT2 -j CLASSIFY --set-class 1:8
$ipt -t mangle -A POSTROUTING -m mark --mark 0x4 -o
$INT2 -j CLASSIFY --set-class 1:6
$ipt -t mangle -A POSTROUTING -m mark --mark 0x2 -o
$INT2 -j CLASSIFY --set-class 1:4
$ipt -t mangle -A POSTROUTING -m mark --mark 0x0 -o
$INT2 -j CLASSIFY --set-class 1:FF01
$ipt -t mangle -A POSTROUTING -m mark --mark 0x1 -o
$INT2 -j CLASSIFY --set-class 1:FF00
 ### ###  ### ###
 ###  mangle  ###
 ### ###  ### ###


 ### PREROUTING ###
$ipt -t mangle -F PREROUTING
echo " creem MAN, QOS si CLIENT" 
$ipt -t mangle -X MAN
$ipt -t mangle -X QOS
$ipt -t mangle -N MAN
$ipt -t mangle -N QOS
$ipt -t mangle -Z MAN
$ipt -t mangle -Z QOS



$ipt -t mangle -A PREROUTING -j MAN
$ipt -t mangle -A PREROUTING -j QOS


        ### QOS ###
echo " TOS chat-ports" 
for PORT in $( cat
~sorin/etc/ports_qdisc_prio/chat_ports.conf | grep -v
\# ); do
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Maximize-Reliability 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Minimize-Delay 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK
--set-mark 0x4 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Maximize-Reliability 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Minimize-Delay 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK
--set-mark 0x4 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j
RETURN  
    $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Maximize-Reliability 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Minimize-Delay 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x4 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Maximize-Reliability 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Minimize-Delay 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j MARK
--set-mark 0x4 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j
RETURN 
done
echo " TOS audio-video ports" 
for PORT in $( cat
~sorin/etc/ports_qdisc_prio/av_ports.conf | grep -v \#
); do
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Minimize-Delay 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK
--set-mark 0x6 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Minimize-Delay
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK
--set-mark 0x6 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Minimize-Delay
    $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x6 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Minimize-Delay
    $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p udp --sport $PORT -j MARK
--set-mark 0x6 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j
RETURN 
done
echo " TOS www ports" 
for PORT in $( cat
~sorin/etc/ports_qdisc_prio/www_ports.conf | grep -v
\# ); do
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j MARK
--set-mark 0x2 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j MARK
--set-mark 0x2 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p tcp --sport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x2 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --dport $PORT -j
RETURN 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j TOS
--set-tos Maximize-Throughput
    $ipt -t mangle -A QOS -p udp --dport $PORT -j MARK
--set-mark 0x2 
    $ipt -t mangle -A QOS -j CONNMARK --save-mark 
    $ipt -t mangle -A QOS -p udp --sport $PORT -j
RETURN 
done
echo " TOS tcp flags" 
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
MARK --set-mark 0x6 
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
TOS --set-tos Minimize-Delay 
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
TOS --set-tos Maximize-Throughput 
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
TOS --set-tos Maximize-Reliability 
$ipt -t mangle -A QOS -j CONNMARK --save-mark 
$ipt -t mangle -A QOS -p tcp --tcp-flags ALL, ALL -j
RETURN 
$ipt -t mangle -A QOS -j CONNMARK --save-mark 
$ipt -t mangle -A QOS -p ALL -j RETURN 


        ### MAN ###
echo " MAN mark man (order a pizza and eat till I
finish this)" 
for PEER_IP in $( cat
~sorin/etc/ip_internet/peer_ips.conf | grep -v \# );
do
    $ipt -t mangle -A MAN -d $PEER_IP -j MARK
--set-mark $MARK_MAN 
    $ipt -t mangle -A MAN -j CONNMARK --restore-mark
--mask 0xfffe 
    $ipt -t mangle -A MAN -d $PEER_IP -j RETURN 
    $ipt -t mangle -A MAN -s $PEER_IP -j MARK
--set-mark $MARK_MAN 
    $ipt -t mangle -A MAN -j CONNMARK --restore-mark
--mask 0xfffe 
    $ipt -t mangle -A MAN -s $PEER_IP -j RETURN 
 done
echo " MAN mark net" 
$ipt -t mangle -A MAN -d 0.0.0.0/0 -j MARK --set-mark
$MARK_NET 
$ipt -t mangle -A MAN -j CONNMARK --restore-mark
--mask 0xfffe 
$ipt -t mangle -A MAN -d 0.0.0.0/0 -j RETURN 

$ipt_s >~adminus/bin/marks

 ### POSTROUTING ###
if [ -x /mnt/usb/tc-restore ]; then
        /mnt/usb/tc-restore
        cp /mnt/usb/tc-restore ~sorin/bin/
   else ~sorin/bin/tc-restore
fi
# each IP has its own class

 ### ###  ### ###
 ###  filter  ###
 ### ###  ### ###

 ### INPUT ###
echo "INPUT" 
# TODO: Use ~adminus/etc/ports_input_allowed, use -m
mport --port for both direction ports if they *ARE*
equal
$ipt -t filter -P INPUT DROP 
$ipt -t filter -A INPUT -i lo -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --sport 0:1023 -m state
--state ESTABLISHED,RELATED -j ACCEPT 
$ipt -t filter -A INPUT -i lo -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --tcp-flags ACK ACK -j
ACCEPT 
$ipt -t filter -A INPUT -m state --state ESTABLISHED
-j ACCEPT 
$ipt -t filter -A INPUT -m state --state RELATED -j
ACCEPT 
$ipt -t filter -A INPUT -p udp --dport 1024:65535
--sport 53 -j ACCEPT 
$ipt -t filter -A INPUT -p icmp --icmp-type echo-reply
-j ACCEPT 
$ipt -t filter -A INPUT -p icmp --icmp-type
destination-unreachable -j ACCEPT 
$ipt -t filter -A INPUT -p icmp --icmp-type
source-quench -j ACCEPT 
$ipt -t filter -A INPUT -p icmp --icmp-type
time-exceeded -j ACCEPT 
$ipt -t filter -A INPUT -p icmp --icmp-type
parameter-problem -j ACCEPT 
$ipt -t filter -A INPUT -p tcp -m state ! --state NEW
--sport 0:1023 -j ACCEPT 
$ipt -t filter -A INPUT -p udp --sport 0:1023 -j
ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport ssh -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport auth -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport ftp -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport rmt -j ACCEPT 
$ipt -t filter -A INPUT -p udp --dport rmt -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport ftp-data -j
ACCEPT 
$ipt -t filter -A INPUT -p udp --dport time -j ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport http -j ACCEPT 
$ipt -t filter -A INPUT -p icmp -m limit --icmp-type
echo-request --limit 3/second --limit-burst 1000 -j
ACCEPT 
$ipt -t filter -A INPUT -p tcp ! -i lo --sport
2049:2050 -j DROP 
$ipt -t filter -A INPUT -p tcp ! -i lo --dport
2049:2050 -j DROP 
$ipt -t filter -A INPUT -p tcp ! -i lo --sport
6000:6063 -j DROP 
$ipt -t filter -A INPUT -p tcp ! -i lo --dport
6000:6063 -j DROP 
$ipt -t filter -A INPUT -p tcp ! -i lo --sport
7000:7010 -j DROP 
$ipt -t filter -A INPUT -p tcp ! -i lo --dport
7000:7010 -j DROP 
$ipt -t filter -A INPUT -p tcp --sport 1024:65535 -j
ACCEPT 
$ipt -t filter -A INPUT -p tcp --dport 1024:65535 -j
ACCEPT 
$ipt -t filter -A INPUT -p udp --sport 1024:65535 -j
ACCEPT 
$ipt -t filter -A INPUT -p udp --dport 1024:65535 -j
ACCEPT 

 ### FORWARD ###
echo "FORWARD" 
$ipt -t filter -P FORWARD DROP 
$ipt -t filter -A FORWARD -i lo -j ACCEPT 
$ipt -t filter -A FORWARD -o lo -j ACCEPT 

echo " ip/mac ACCEPT"
~sorin/bin/mac.sh
$ipt -t filter -A FORWARD -o $INT1 -d
$INT1Net/$INT1Mask -j ACCEPT
$ipt -t filter -A FORWARD -i $INT2 -s
$INT2Net/$INT2Mask -j ACCEPT
$ipt -t filter -A FORWARD -o $INT2 -d
$INT2Net/$INT2Mask -j ACCEPT
$ipt -t filter -A FORWARD -i $EXT1 -o $INT1 -j ACCEPT 
$ipt -t filter -A FORWARD -i $EXT1 -o $INT2 -m state
--state ESTABLISHED,RELATED -j ACCEPT 
$ipt -t filter -A FORWARD -i $INT1 -o $INT2 -j ACCEPT 
$ipt -t filter -A FORWARD -i $INT2 -o $INT1 -j ACCEPT 
#$ipt -t filter -A FORWARD -i $INT1 -o $EXT1 -j ACCEPT
# Se face pe mac address
$ipt -t filter -A FORWARD -i $INT2 -o $EXT1 -j ACCEPT

echo " connection/port ACCEPT/DROP" 
#$ipt -t filter -A FORWARD -f -j ACCEPT 
$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST
SYN -j TCPMSS  --clamp-mss-to-pmtu 
#$ipt -t filter -A FORWARD -p tcp --tcp-flags SYN,RST
SYN -j TCPMSS --set-mss 128 
$ipt -t filter -A FORWARD -i ! $INT1 -s
$INT1Net/$INT1Mask -j DROP 
$ipt -t filter -A FORWARD -i ! $INT2 -s
$INT2Net/$INT2Mask -j DROP 
$ipt -t filter -A FORWARD -p icmp -d $INT1Bcast -j
DROP 
$ipt -t filter -A FORWARD -p icmp -d $INT2Bcast -j
DROP 
$ipt -t filter -A FORWARD -p tcp  --syn -m limit
--limit 10/s -j ACCEPT 
$ipt -t filter -A FORWARD -p tcp  --tcp-flags
SYN,ACK,FIN,RST RST -m limit --limit 10/s -j ACCEPT 
$ipt -t filter -A FORWARD -p icmp --icmp-type
echo-request -m limit --limit 3/s -j ACCEPT
$ipt -t filter -A FORWARD -p icmp --icmp-type
echo-reply   -m limit --limit 3/s -j ACCEPT
$ipt -t filter -A FORWARD -p udp  --sport 53 -j ACCEPT
$ipt -t filter -A FORWARD -p udp  --dport 53 -j ACCEPT
$ipt -t filter -A FORWARD -p tcp  --dport 139 -j DROP 
$ipt -t filter -A FORWARD -p tcp  --dport 445 -j DROP 

 ### OUTPUT ###
echo "OUTPUT" 
$ipt -t filter -P OUTPUT ACCEPT 

echo "Preparing for reboot... (iptables-save)"
/usr/sbin/iptables-save >/home/adminus/iptables

A/V ports:531 554 583 7070 1754:1755 1397:1398 1516
1518 2232 4444 5555 5713:5714 6000 6010

CHAT ports: 53 5050 1863 113 529 994 6660:6667 7000 63
5190:5193 22 23 992 37 123 21 990 1517 1519 2103:2105
5222 5269 5715:5717

WWW ports (and games): 80 443 280 488 25 109:110 995
143 220 993 516 532 563 631 901 666 4557 4559 27005 27015


	
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux