#!/bin/sh /usr/bin/clear #################################################################################### # @DATE: 2006-09-12 @ 08:57:08 (GMT -05:00) # @UPDATE: 2007-02-23 @ 23:01:19 (GMT-05:00) # @VERSION: 2.0 FINAL # @REVISION: 0 # @AUTHOR: Alan A. Currie #################################################################################### # REQUIREMENTS #################################################################################### # This script was based on kernel 2.6.12 w/ iptables 1.35 layer7, hfsc, imq, tos and # other related modules. It has not been tested very well with later versions # of kernel core and/or with iptables in conjuction with layer7 compatibility. # # Understand that this script does not interfer with iptable IN, OUT, etc firewall # rules. However, only uses tables within the iptables -t mangle ingress and out. #################################################################################### # SERVICES #################################################################################### # UT2004 7777:7787/UDP ENABLE_UNREAL04="1" # GuildWars 6112/TCP ENABLE_GUILDWAR="1" #################################################################################### # NETWORK CONFIGURATION #################################################################################### ethOUT="imq1" # Upload ethIN="imq0" # Download #################################################################################### # EXCLUSIONS #################################################################################### #################################################################################### # QUEUE SIZE #################################################################################### # "Transmit queue length" # (default 1000) higher the better for smoothness, lower the better for interactive # traffic at the cost of packet loss for high-throughput len0="3000" len1="3000" #################################################################################### # MTU #################################################################################### # Changes mtu on the device. Lowering the mtu will result # in lower latency but will also cause slightly lower throughput due # to IP and tcp protocol overhead. (default 1500, Recommend 1492 for DSL users) mtu0="1500" mtu1="1500" #################################################################################### # ToS #################################################################################### mind="16" # Minimize-Delay 16 (0x10) hi interactive maxt="8" # Maximize-Throughput 8 (0x08) maxr="4" # Maximize-Reliability 4 (0x04) minc="2" # Minimize-Cost 2 (0x02) normal="0" # Normal-Service 0 (0x00) #################################################################################### if [ $# -eq 0 ]; then clear echo 1>&2 Usage: $0 [OPTIONS].... echo "status Displays the current shaper rules" echo "" echo "simple Display Pre and Post Routing." echo "" echo "flush Disable Shaping." echo "" echo "load Enable Shaping." exit fi if [ "$1" = "load" -o "$1" = "status" -o "$1" = "simple" -o "$1" = "flush" -o "$1" = "pipe" ] then #################################################################################### # PROGRAM PATHS iptables="/usr/local/sbin/iptables" ip="/sbin/ip" tc="/sbin/tc" modprobe="/sbin/modprobe" #################################################################################### # DISPLAY STATUS OF CHAINS if [ "$1" = "pipe" ] then echo "*********DOWNLOAD PIPES*********" $iptables -t mangle -vv -n -L DL-10 $iptables -t mangle -vv -n -L DL-11 $iptables -t mangle -vv -n -L DL-12 $iptables -t mangle -vv -n -L DL-13 $iptables -t mangle -vv -n -L DL-14 $iptables -t mangle -vv -n -L DL-15 $iptables -t mangle -vv -n -L DL-16 $iptables -t mangle -vv -n -L DL-17 echo "*********UPLOAD PIPES*********" $iptables -t mangle -vv -n -L UP-10 $iptables -t mangle -vv -n -L UP-11 $iptables -t mangle -vv -n -L UP-12 $iptables -t mangle -vv -n -L UP-13 $iptables -t mangle -vv -n -L UP-14 $iptables -t mangle -vv -n -L UP-15 $iptables -t mangle -vv -n -L UP-16 $iptables -t mangle -vv -n -L UP-17 exit fi if [ "$1" = "status" ] then echo "*********PREROUTING*********" $iptables -t mangle -vv -n -L PREROUTING echo "*********POSTROUTING*********" $iptables -t mangle -vv -n -L POSTROUTING echo "*********TEMP*********" $iptables -t mangle -vv -n -L DL-unconditioned $iptables -t mangle -vv -n -L UP-unconditioned echo "*********DOWNLOAD RULES*********" $iptables -t mangle -vv -n -L download-chain echo "*********UPLOAD RULES*********" $iptables -t mangle -vv -n -L upload-chain echo "*********${ethOUT} UPLOAD*********" echo "[qdisc]" $tc -s qdisc show dev $ethOUT echo "[class]" $tc -s class show dev $ethOUT echo "[filter]" $tc -s filter show dev $ethOUT echo "*********${ethIN} DOWNLOAD*********" echo "[qdisc]" $tc -s qdisc show dev $ethIN echo "[class]" $tc -s class show dev $ethIN echo "[filter]" $tc -s filter show dev $ethIN exit fi if [ "$1" = "simple" ] then $iptables -t mangle -vv -n -L PREROUTING $iptables -t mangle -vv -n -L POSTROUTING exit fi #################################################################################### # FLUSH OUR CHAINS AND OLD SHAPES $tc qdisc del dev $ethOUT root 2> /dev/null > /dev/null $tc qdisc del dev $ethIN root 2> /dev/null > /dev/null $iptables -t mangle -F 2> /dev/null > /dev/null $iptables -t mangle --delete-chain download-chain 2> /dev/null > /dev/null $iptables -t mangle --delete-chain upload-chain 2> /dev/null > /dev/null $iptables -t mangle --delete-chain DL-unconditioned 2> /dev/null > /dev/null $iptables -t mangle --delete-chain UP-unconditioned 2> /dev/null > /dev/null $iptables -t mangle --delete-chain DL-10 2> /dev/null > /dev/null $iptables -t mangle --delete-chain DL-11 2> /dev/null > /dev/null $iptables -t mangle --delete-chain DL-12 2> /dev/null > /dev/null $iptables -t mangle --delete-chain DL-13 2> /dev/null > /dev/null $iptables -t mangle --delete-chain DL-14 2> /dev/null > /dev/null $iptables -t mangle --delete-chain DL-15 2> /dev/null > /dev/null $iptables -t mangle --delete-chain DL-16 2> /dev/null > /dev/null $iptables -t mangle --delete-chain DL-17 2> /dev/null > /dev/null $iptables -t mangle --delete-chain UP-10 2> /dev/null > /dev/null $iptables -t mangle --delete-chain UP-11 2> /dev/null > /dev/null $iptables -t mangle --delete-chain UP-12 2> /dev/null > /dev/null $iptables -t mangle --delete-chain UP-13 2> /dev/null > /dev/null $iptables -t mangle --delete-chain UP-14 2> /dev/null > /dev/null $iptables -t mangle --delete-chain UP-15 2> /dev/null > /dev/null $iptables -t mangle --delete-chain UP-16 2> /dev/null > /dev/null $iptables -t mangle --delete-chain UP-17 2> /dev/null > /dev/null if [ "$1" = "flush" ] then echo "Flush Complete" exit fi ############################## # SETUP OUR MTU AND QUE LENGTH ON VIRTUAL INTERFACE $ip link set $ethIN up $ip link set $ethOUT up $ip link set dev $ethIN qlen $len0 $ip link set dev $ethOUT qlen $len1 $ip link set dev $ethIN mtu $mtu0 $ip link set dev $ethOUT mtu $mtu1 #################################################################################### # DOWNLOAD SECTION #################################################################################### chainname="download-chain" echo "##########[DOWNLOAD]##########" #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # GLOBAL MAX BANDWIDTH # WARNING: Always set your 'dtotalmax' var at least 64-96Kbits lower than your actual # bandwidth, otherwise packet shaping is useless. The distance between your # bandwidth costs. You may experience intolerable legancy if max rates are # are not the same on all pipes of shapes. # RECOMMEND: Test your legancy by pinging 'yahoo.com -t' at (actual_bandwidth - 64Kbits) # first. If you experience high legancy, try 96Kbits or powers of 8Bits. #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= realdownspeed="8000" # Real speed of your Internet Downstream dtotalmax=$(echo "scale=9; $realdownspeed * 0.90" | bc) # 80-90% of your real bandwidth. dtotalmax=`printf "%2.0f" $dtotalmax` # remove decimal # 768kbits ~ 93.75 kb/s # 512kbits ~ 62.5 kb/s # 384kbits ~ 46.875 kb/s # 256kbits ~ 31.25 kb/s # 128kbits ~ 15.625 kb/s #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 10: Real Time - VoIP rate1="256" # guarantee rate mrate1=$dtotalmax # max rate mdelay1="10" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 11: Remote - Interactive rate2="1000" # guarantee rate mrate2=$dtotalmax # max rate mdelay2="100" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 12: Games rate3="1000" # guarantee rate mrate3=$dtotalmax # max rate mdelay3="200" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 13: Web Services rate4="1000" # guarantee rate mrate4=$dtotalmax # max rate mdelay4="1000" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 14: Email Services rate5="1000" # guarantee rate mrate5=$dtotalmax # max rate mdelay5="1000" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 15: FTP Services rate6="1000" # guarantee rate mrate6=$dtotalmax # max rate mdelay6="1000" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 16: Web Other Traffic rate7="1000" # guarantee rate mrate7=$dtotalmax # max rate mdelay7="1000" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 17: BULK rate8="1" # guarantee rate mrate8=$(echo "scale=9; $dtotalmax * 0.80" | bc) # max rate mrate8=`printf "%2.0f" $mrate8` # remove decimal mdelay8="1000" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: TOTAL RATES CALCULATIONS #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= dsumrate=$[$rate1+$rate2+$rate3+$rate4+$rate5+$rate6+$rate7+$rate8] #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: CREATE OUR CHAINS #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $iptables -t mangle -N $chainname $iptables -t mangle -N DL-unconditioned #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: PROCESS EXCLUSIONS #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $iptables -t mangle -I POSTROUTING -o eth1 -j DL-unconditioned #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # REDIRECT #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark=13 $iptables -t mangle -A DL-unconditioned -p tcp -m length --length 0:32 -m comment --comment "${mark}:Semi ack pcks 16" -j MARK --set-mark ${mark} mark=14 $iptables -t mangle -A DL-unconditioned -p tcp -m length --length 33:48 -m comment --comment "${mark}:Semi ack pcks 32" -j MARK --set-mark ${mark} mark=15 $iptables -t mangle -A DL-unconditioned -p tcp -m length --length 49:64 -m comment --comment "${mark}:Semi ack pcks 48" -j MARK --set-mark ${mark} mark=16 $iptables -t mangle -A DL-unconditioned -p tcp -m length --length 65:128 -m comment --comment "${mark}:Semi ack pcks 64" -j MARK --set-mark ${mark} $iptables -t mangle -A DL-unconditioned -p all -j $chainname #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: ROOT #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $tc qdisc add dev $ethIN handle 1: root hfsc default 17 #$tc class add dev $ethIN parent 1: classid 1:1 hfsc rt rate ${dsumrate}Kbit ls rate ${dtotalmax}Kbit $tc class add dev $ethIN parent 1: classid 1:1 hfsc sc rate ${dsumrate}Kbit ul rate ${dtotalmax}Kbit #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: CLASS [BANDWIDTH RATES] #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #-- parent $tc class add dev $ethIN parent 1:1 classid 1:10 hfsc sc umax 1500b dmax ${mdelay1}ms rate ${rate1}Kbit ul rate ${mrate1}Kbit $tc class add dev $ethIN parent 1:1 classid 1:11 hfsc sc umax 1500b dmax ${mdelay2}ms rate ${rate2}Kbit ul rate ${mrate2}Kbit $tc class add dev $ethIN parent 1:1 classid 1:12 hfsc sc umax 1500b dmax ${mdelay3}ms rate ${rate3}Kbit ul rate ${mrate3}Kbit $tc class add dev $ethIN parent 1:1 classid 1:13 hfsc sc umax 1500b dmax ${mdelay4}ms rate ${rate4}Kbit ul rate ${mrate4}Kbit $tc class add dev $ethIN parent 1:1 classid 1:14 hfsc sc umax 1500b dmax ${mdelay5}ms rate ${rate5}Kbit ul rate ${mrate5}Kbit $tc class add dev $ethIN parent 1:1 classid 1:15 hfsc sc umax 1500b dmax ${mdelay6}ms rate ${rate6}Kbit ul rate ${mrate6}Kbit $tc class add dev $ethIN parent 1:1 classid 1:16 hfsc sc umax 1500b dmax ${mdelay7}ms rate ${rate7}Kbit ul rate ${mrate7}Kbit $tc class add dev $ethIN parent 1:1 classid 1:17 hfsc sc umax 1500b dmax ${mdelay8}ms rate ${rate8}Kbit ul rate ${mrate8}Kbit # this method does not work correctly. #$tc class add dev $ethIN parent 1:1 classid 1:17 hfsc sc umax 1500b dmax ${mdelay8}ms rate ${rate6}Kbit ul rate ${mrate8}Kbit #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: QDISC #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #-- child $tc qdisc add dev $ethIN handle 10: parent 1:10 hfsc $tc qdisc add dev $ethIN handle 11: parent 1:11 hfsc $tc qdisc add dev $ethIN handle 12: parent 1:12 hfsc $tc qdisc add dev $ethIN handle 13: parent 1:13 hfsc $tc qdisc add dev $ethIN handle 14: parent 1:14 hfsc $tc qdisc add dev $ethIN handle 15: parent 1:15 hfsc $tc qdisc add dev $ethIN handle 16: parent 1:16 hfsc $tc qdisc add dev $ethIN handle 17: parent 1:17 hfsc #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # FILTER CHILDREN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $tc filter add dev $ethIN parent 1: prio 1 protocol ip handle 10 fw flowid 1:10 $tc filter add dev $ethIN parent 1: prio 2 protocol ip handle 11 fw flowid 1:11 $tc filter add dev $ethIN parent 1: prio 3 protocol ip handle 12 fw flowid 1:12 $tc filter add dev $ethIN parent 1: prio 4 protocol ip handle 13 fw flowid 1:13 $tc filter add dev $ethIN parent 1: prio 5 protocol ip handle 14 fw flowid 1:14 $tc filter add dev $ethIN parent 1: prio 6 protocol ip handle 15 fw flowid 1:15 $tc filter add dev $ethIN parent 1: prio 7 protocol ip handle 16 fw flowid 1:16 $tc filter add dev $ethIN parent 1: prio 8 protocol ip handle 17 fw flowid 1:17 #################################################################################### #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEAVE THE TABLE IN THIS ORDER, OTHERWISE THERE WILL BE PORT MISMATCH ISSUES WHEN SHAPING TRAFFIC. #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: LEVEL 10: Real Time / VoIP #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="10" gotochain="DL-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate1}/${mrate1}Kbits" #------------------ # WARNING: VoIP RULES ARE DIFFERENT THAN UPLOAD RULES $iptables -t mangle -A $chainname -d 192.168.10.2 -m comment --comment "${mark}:VoIP 1234567890" -j $gotochain $iptables -t mangle -A $chainname -d 192.168.10.3 -m comment --comment "${mark}:VoIP 0987654321" -j $gotochain $iptables -t mangle -A $chainname -p icmp -m comment --comment "${mark}:ICMP" -j $gotochain names="dhcp" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: LEVEL 11: Remote Interactive Traffic #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="11" gotochain="DL-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate2}/${mrate2}Kbits" #------------------ $iptables -t mangle -A $chainname -p udp --sport 123 -m comment --comment "${mark}:Network Time" -j $gotochain # rdp l7 doesnt work so hot $iptables -t mangle -A $chainname -p tcp --sport 3389 -m comment --comment "${mark}:rdp" -j $gotochain names="ventrilo teamspeak dns vnc ssh" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: LEVEL 12: Games #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="12" gotochain="DL-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate3}/${mrate3}Kbits" #------------------ # Guild Wars if [ $ENABLE_GUILDWAR = "1" ]; then echo " Guild Wars ENABLED" $iptables -t mangle -A $chainname -p tcp --sport 6112 -j TOS --set-tos $mind $iptables -t mangle -A $chainname -p tcp --sport 6112 -m comment --comment "${mark}:Guild Wars" -j $gotochain fi # UT2004 if [ $ENABLE_UNREAL04 = "1" ]; then echo " UT2004 ENABLED" $iptables -t mangle -A $chainname -p udp --sport 7777:7787 -m comment --comment "${mark}:UT2004" -j $gotochain fi #names="quake-halflife halflife2-deathmatch aim counterstrike-source msnmessenger irc worldofwarcraft yahoo" names="aim msnmessenger worldofwarcraft" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: LEVEL 13: Web Services #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="13" gotochain="DL-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate4}/${mrate4}Kbits" #------------------ #names="ssl http" # for name in $names # do # $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain # done $iptables -t mangle -A $chainname -p tcp --sport 80 -j $gotochain $iptables -t mangle -A $chainname -p tcp --sport 443 -j $gotochain #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: LEVEL 14: E-Mail Services #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="14" gotochain="DL-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate5}/${mrate5}Kbits" #------------------ names="pop3 imap smtp" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: LEVEL 15: FTP Services #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="15" gotochain="DL-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate6}/${mrate6}Kbits" #------------------ names="ftp" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: LEVEL 16: Web Other Traffic #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="16" gotochain="DL-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate7}/${mrate7}Kbits" #------------------ names="winamp" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # DL: LEVEL 17 - BULK #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="17" gotochain="DL-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate8}/${mrate8}Kbits" #------------------ #names="100bao applejuice ares bittorrent directconnect edonkey fasttrack freenet gnucleuslan gnutella goboogy hotline imesh kugoo mute napster openft poco skypeout skypetoskype soribada soulseek tesla thecircle xunlei" names="bittorrent gnutella napster edonkey" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ############################## # DL: MARK OUR TARGETS $iptables -t mangle -A $chainname -m mark --mark 0 -j MARK --set-mark ${mark} ############################## # finally once all data is marked process to our IMQ device $iptables -t mangle -A $chainname -j IMQ --todev 0 ############################## echo "TOTAL DOWNLOAD RATE: ${dsumrate}/${dtotalmax}Kbits" #################################################################################### # UPLOAD SECTION #################################################################################### chainname="upload-chain" echo "##########[UPLOAD]##########" #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # GLOBAL MAX BANDWIDTH # WARNING: Always set your 'utotalmax' var at least 64-96Kbits lower than your actual # bandwidth, otherwise packet shaping is useless. The distance between your # actual and your shaping bandwidth is your overhead costs verses your total # bandwidth costs. You may experience intolerable legancy if max rates are # are not the same on all pipes of shapes. # RECOMMEND: Test your legancy by pinging 'yahoo.com -t' at (actual_bandwidth - 64Kbits) # first. If you experience high legancy, try 96Kbits or powers of 8Bits. #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= realupspeed="768" # Real speed of your Internet Downstream utotalmax=$(echo "scale=9; $realupspeed * 0.90" | bc) # 90% of your real bandwidth. utotalmax=`printf "%2.0f" $utotalmax` # remove decimal # 768kbits ~ 93.75 kb/s # 512kbits ~ 62.5 kb/s # 384kbits ~ 46.875 kb/s # 256kbits ~ 31.25 kb/s # 128kbits ~ 15.625 kb/s #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 10: Real Time - VoIP rate1="224" # guarantee rate mrate1=$utotalmax # max rate mdelay1="10" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 11: Remote - Interactive rate2="64" # guarantee rate mrate2=$utotalmax # max rate mdelay2="100" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 12: Games rate3="64" # guarantee rate mrate3=$utotalmax # max rate mdelay3="200" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 13: Web Services rate4="64" # guarantee rate mrate4=$utotalmax # max rate mdelay4="400" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 14: E-Mail Services rate5="64" # guarantee rate mrate5=$utotalmax # max rate mdelay5="400" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 15: FTP Services rate6="64" # guarantee rate mrate6=$utotalmax # max rate mdelay6="1000" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 16: Web Other Traffic rate7="64" # guarantee rate mrate7=$utotalmax # max rate mdelay7="1000" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEVEL 17: Bulk rate8="64" # guarantee rate mrate8=$(echo "scale=9; $utotalmax * 0.25" | bc) # max rate mrate8=`printf "%2.0f" $mrate8` # remove decimal mdelay8="1000" # max delay (in ms) #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: TOTAL RATES CALCULATIONS usumrate=$[$rate1+$rate2+$rate3+$rate4+$rate5+$rate6+$rate7+$rate8] #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: CREATE OUR CHAINS #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $iptables -t mangle -N $chainname $iptables -t mangle -N UP-unconditioned #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: PROCESS EXCLUSIONS #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $iptables -t mangle -I POSTROUTING -o eth0 -j UP-unconditioned #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # REDIRECT #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark=13 $iptables -t mangle -A UP-unconditioned -p tcp -m length --length 0:32 -m comment --comment "${mark}:Semi ack pcks 16" -j MARK --set-mark ${mark} mark=14 $iptables -t mangle -A UP-unconditioned -p tcp -m length --length 33:48 -m comment --comment "${mark}:Semi ack pcks 32" -j MARK --set-mark ${mark} mark=15 $iptables -t mangle -A UP-unconditioned -p tcp -m length --length 49:64 -m comment --comment "${mark}:Semi ack pcks 48" -j MARK --set-mark ${mark} mark=16 $iptables -t mangle -A UP-unconditioned -p tcp -m length --length 65:128 -m comment --comment "${mark}:Semi ack pcks 64" -j MARK --set-mark ${mark} $iptables -t mangle -A UP-unconditioned -p all -j $chainname #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: ROOT $tc qdisc add dev $ethOUT handle 1: root hfsc default 17 $tc class add dev $ethOUT parent 1: classid 1:1 hfsc sc rate ${usumrate}Kbit ul rate ${utotalmax}Kbit #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: CLASS [BANDWIDTH RATES] #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #-- parent # rt umax 1500b dmax ${mdelay1}ms rate ${rate1}Kbit ul rate ${mrate1}Kbit $tc class add dev $ethOUT parent 1:1 classid 1:10 hfsc sc umax 1500b dmax ${mdelay1}ms rate ${rate1}Kbit ul rate ${mrate1}Kbit $tc class add dev $ethOUT parent 1:1 classid 1:11 hfsc sc umax 1500b dmax ${mdelay2}ms rate ${rate2}Kbit ul rate ${mrate2}Kbit $tc class add dev $ethOUT parent 1:1 classid 1:12 hfsc sc umax 1500b dmax ${mdelay3}ms rate ${rate3}Kbit ul rate ${mrate3}Kbit $tc class add dev $ethOUT parent 1:1 classid 1:13 hfsc sc umax 1500b dmax ${mdelay4}ms rate ${rate4}Kbit ul rate ${mrate4}Kbit $tc class add dev $ethOUT parent 1:1 classid 1:14 hfsc sc umax 1500b dmax ${mdelay5}ms rate ${rate5}Kbit ul rate ${mrate5}Kbit $tc class add dev $ethOUT parent 1:1 classid 1:15 hfsc sc umax 1500b dmax ${mdelay6}ms rate ${rate6}Kbit ul rate ${mrate6}Kbit $tc class add dev $ethOUT parent 1:1 classid 1:16 hfsc sc umax 1500b dmax ${mdelay7}ms rate ${rate7}Kbit ul rate ${mrate7}Kbit $tc class add dev $ethOUT parent 1:1 classid 1:17 hfsc sc umax 1500b dmax ${mdelay8}ms rate ${rate8}Kbit ul rate ${mrate8}Kbit #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: QDISC #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #-- child $tc qdisc add dev $ethOUT handle 10: parent 1:10 hfsc $tc qdisc add dev $ethOUT handle 11: parent 1:11 hfsc $tc qdisc add dev $ethOUT handle 12: parent 1:12 hfsc $tc qdisc add dev $ethOUT handle 13: parent 1:13 hfsc $tc qdisc add dev $ethOUT handle 14: parent 1:14 hfsc $tc qdisc add dev $ethOUT handle 15: parent 1:15 hfsc $tc qdisc add dev $ethOUT handle 16: parent 1:16 hfsc $tc qdisc add dev $ethOUT handle 17: parent 1:17 hfsc #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # FILTER CHILDREN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= $tc filter add dev $ethOUT parent 1: prio 1 protocol ip handle 10 fw flowid 1:10 $tc filter add dev $ethOUT parent 1: prio 2 protocol ip handle 11 fw flowid 1:11 $tc filter add dev $ethOUT parent 1: prio 3 protocol ip handle 12 fw flowid 1:12 $tc filter add dev $ethOUT parent 1: prio 4 protocol ip handle 13 fw flowid 1:13 $tc filter add dev $ethOUT parent 1: prio 5 protocol ip handle 14 fw flowid 1:14 $tc filter add dev $ethOUT parent 1: prio 6 protocol ip handle 15 fw flowid 1:15 $tc filter add dev $ethOUT parent 1: prio 7 protocol ip handle 16 fw flowid 1:16 $tc filter add dev $ethOUT parent 1: prio 8 protocol ip handle 17 fw flowid 1:17 #################################################################################### #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # LEAVE THE TABLE IN THIS ORDER, OTHERWISE THERE WILL BE PORT MISMATCH ISSUES WHEN SHAPING TRAFFIC. #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: LEVEL 10: - Real Time / VoIP #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="10" gotochain="UP-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate1}/${mrate1}Kbits" #------------------ # WARNING: VoIP RULES ARE DIFFERENT THAN DOWNLOAD RULES $iptables -t mangle -A $chainname -s 192.168.10.2 -m comment --comment "${mark}:VoIP 0123456789" -j $gotochain $iptables -t mangle -A $chainname -s 192.168.10.3 -m comment --comment "${mark}:VoIP 0987654321" -j $gotochain $iptables -t mangle -A $chainname -p icmp -m comment --comment "${mark}:ICMP" -j $gotochain names="dhcp" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: LEVEL 11: Remote & Interactive Traffic #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="11" gotochain="UP-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate2}/${mrate2}Kbits" #------------------ $iptables -t mangle -A $chainname -p udp --dport 123 -m comment --comment "${mark}:Network Time" -j $gotochain # rdp l7 doesnt work so hot $iptables -t mangle -A $chainname -p tcp --dport 3389 -m comment --comment "${mark}:rdp" -j $gotochain names="ventrilo teamspeak dns vnc ssh" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: LEVEL 12: Games #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="12" gotochain="UP-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate3}/${mrate3}Kbits" #------------------ # Guild Wars if [ $ENABLE_GUILDWAR = "1" ]; then echo " Guild Wars ENABLED" $iptables -t mangle -A $chainname -p tcp --dport 6112 -j TOS --set-tos $mind $iptables -t mangle -A $chainname -p tcp --dport 6112 -m comment --comment "${mark}:Guild Wars" -j $gotochain fi # UT2004 if [ $ENABLE_UNREAL04 = "1" ]; then echo " UT2004 ENABLED" $iptables -t mangle -A $chainname -p udp --dport 7777:7787 -m comment --comment "${mark}:UT2004" -j $gotochain fi names="aim msnmessenger worldofwarcraft" # may send data back, i.e. server? for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: LEVEL 13: Web Services #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="13" gotochain="UP-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate4}/${mrate4}Kbits" #------------------ #names="ssl http" # for name in $names # do # $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain # done $iptables -t mangle -A $chainname -p tcp --dport 80 -j $gotochain $iptables -t mangle -A $chainname -p tcp --dport 443 -j $gotochain #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: LEVEL 14: E-Mail Services #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="14" gotochain="UP-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate5}/${mrate5}Kbits" #------------------ names="pop3 imap smtp" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: LEVEL 15: FTP Services #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="15" gotochain="UP-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate6}/${mrate6}Kbits" #------------------ names="ftp" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: LEVEL 16: Web Other Traffic #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="16" gotochain="UP-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate7}/${mrate7}Kbits" #------------------ names="winamp" for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # UP: LEVEL 17: Bulk #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= mark="17" gotochain="UP-${mark}" $iptables -t mangle -N $gotochain echo "TRAFFIC ROUTE 1:${mark} @ ${rate8}/${mrate8}Kbits" #------------------ names="bittorrent gnutella napster edonkey" # server, or p2p for name in $names do $iptables -t mangle -A $chainname -m comment --comment "${mark}:${name}" -m layer7 --l7proto $name -j $gotochain done #------------------ $iptables -t mangle -A $gotochain -j MARK --set-mark ${mark} $iptables -t mangle -A $gotochain -j RETURN #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ############################## # UP: MARK OUR TARGETS $iptables -t mangle -A $chainname -m mark --mark 0 -j MARK --set-mark ${mark} ############################## # finally once all data is marked process to our IMQ device $iptables -t mangle -A $chainname -j IMQ --todev 1 ############################## echo "TOTAL UPLOAD RATE: ${usumrate}/${utotalmax}Kbits" ############################## echo "-=-=-=-=-=-=-=-=-=-=-=-=-" echo "IN: ${ethIN} MTU: ${mtu0} QLength: ${len0}" echo "OUT: ${ethOUT} MTU: ${mtu1} QLength: ${len1}" echo "-=-=-=-=-=-=-=-=-=-=-=-=-" ############################## fi exit