Axl_Mas
07-11-2005, 21:23
Dopo mesi (non scherzo,sono partito da zero!) di continue modifiche ho finito il mio script iptables!!!!!
Esperti di linux datemi dei consigli se c'è qualcosa da correggere/migliorare o aggiungere....mi sto appassionando ai firewall e ne voglio uno davvero potente!
#Making variables
IPTABLES="/usr/local/sbin/iptables"
NETWORK_IP="192.168.0.0/24"
ETH_LAN="eth1"
ETH_NET="eth0"
PPP="ppp0"
DNS1="62.211.69.150"
DNS2="212.48.4.15"
DNS3="85.37.17.12"
#Flushing all rules,chains,tables,policies.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#Reset the default policies in the nat table.
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#Reset the default policies in the mangle table.
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
#Flush all the rules in the filter and nat tables.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#Erase all chains that's not default in filter and nat table.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#Erase all chains and the rules of all tables.
for table in nat mangle filter
do
$IPTABLES -t $table -F
$IPTABLES -t $table -X
done
#-----------------------------------------------------------------------------
#Close all the traffic
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#-----------------------------------------------------------------------------
#filter bugous ips
$IPTABLES -A INPUT -i $PPP -s 127.0.0.1 -j DROP
$IPTABLES -A INPUT -i $PPP -s 192.168.0.0/16 -j DROP
#------------------------------------------------------------------------------
#kernel's protections
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for a in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $a
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/tcp_ecn
#Fragmented packets management
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 25 > /proc/sys/net/ipv4/ipfrag_time
#Permit fpt active mode into clients
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#-----------------------------------------------------------------------------
#MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_nat
modprobe ipt_MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $NETWORK_IP -j MASQUERADE
$IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#-----------------------------------------------------------------------------
#Accept all lan traffic
$IPTABLES -A INPUT -i $ETH_LAN -j ACCEPT
$IPTABLES -A OUTPUT -o $ETH_LAN -j ACCEPT
#-----------------------------------------------------------------------------
#Permit loopback connections
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT
#-----------------------------------------------------------------------------
# Drop Invalid packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
#-----------------------------------------------------------------------------
#Portscanners protections
# Drop (NMAP) scan packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Drop packets with bad tcp flags
$IPTABLES -A INPUT -p tcp --tcp-option 64 -j DROP
$IPTABLES -A INPUT -p tcp --tcp-option 128 -j DROP
$IPTABLES -A INPUT -p tcp --dport 0 -j DROP
$IPTABLES -A INPUT -p udp --dport 0 -j DROP
$IPTABLES -A INPUT -p tcp --sport 0 -j DROP
$IPTABLES -A INPUT -p udp --sport 0 -j DROP
#++++++++++++++++++++++++++++++
#Ports opening +
#++++++++++++++++++++++++++++++
#++++++++
#FORWARD+
#++++++++
#-----------------
#Entering packets-
#-----------------
$IPTABLES -N netlan #ppp0(internet) ------> ethX(lan)
$IPTABLES -A FORWARD -i $PPP -o $ETH_LAN -j netlan
#Dns
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS1 -j ACCEPT
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS2 -j ACCEPT
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS1 -j ACCEPT
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS2 -j ACCEPT
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS3 -j ACCEPT
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS3 -j ACCEPT
# Http,https,8080
$IPTABLES -A netlan -m tcp -p tcp -m multiport --sports 80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT
# POP3
$IPTABLES -A netlan -m tcp -p tcp -m multiport --sports 110,995 -m state --state ESTABLISHED,RELATED -j ACCEPT
# SMTP
$IPTABLES -A netlan -m tcp -p tcp -m multiport --sports 25,587 -m state --state ESTABLISHED,RELATED -j ACCEPT
# FTP
$IPTABLES -A netlan -m tcp -p tcp --sport 20:21 -m state --state ESTABLISHED,RELATED -j ACCEPT
# KAZAA
$IPTABLES -A netlan -p tcp --sport 1214 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Shareaza
$IPTABLES -A netlan -p tcp --dport 6346 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p udp --dport 6346 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Soulseek
$IPTABLES -A netlan -p tcp --sport 2234:2240 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p tcp --sport 29093 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p tcp --dport 29093 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p tcp --dport 2234:2240 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p tcp --sport 5534 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p tcp --dport 5534 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#IRC
#$IPTABLES -A netlan -p tcp --sport 6667 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A netlan -p tcp --sport 113 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p udp --sport 53 -j ACCEPT
#$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -j ACCEPT
#-----------------
#Outgoing packets-
#-----------------
$IPTABLES -N lannet #ethX(lan) ----> ppp0(internet)
$IPTABLES -A FORWARD -i $ETH_LAN -o $PPP -j lannet
#$IPTABLES -A lannet -j ACCEPT
#Dns
$IPTABLES -A lannet -p udp --dport 53 -d $DNS1 -j ACCEPT
$IPTABLES -A lannet -p udp --dport 53 -d $DNS2 -j ACCEPT
$IPTABLES -A lannet -p udp --dport 53 -d $DNS3 -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 53 -d $DNS1 -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 53 -d $DNS2 -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 53 -d $DNS3 -j ACCEPT
#Http and https
$IPTABLES -A lannet -p tcp -m multiport --dport 80,8080,443 -j ACCEPT
#Pop3
$IPTABLES -A lannet -p tcp -m multiport --dport 110,995 -j ACCEPT
#Smtp
$IPTABLES -A lannet -p tcp -m multiport --dport 587,25 -j ACCEPT
#Shareaza
$IPTABLES -A lannet -p tcp --dport 6346 -j ACCEPT
$IPTABLES -A lannet -p udp --dport 6346 -j ACCEPT
#$IPTABLES -A lannet -p tcp --sport 6346 -j ACCEPT
#$IPTABLES -A lannet -p udp --sport 6346 -j ACCEPT
#Kazaa
$IPTABLES -A lannet -p tcp --dport 1214 -j ACCEPT
#Soulseek
$IPTABLES -A lannet -p tcp --dport 2234:2240 -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 29093 -j ACCEPT
$IPTABLES -A lannet -p tcp --sport 29093 -j ACCEPT
$IPTABLES -A lannet -p tcp --sport 2234:2240 -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 5534 -j ACCEPT
$IPTABLES -A lannet -p tcp --sport 5534 -j ACCEPT
#IRC
#$IPTABLES -A lannet -p tcp --dport 6667 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A lannet -p tcp --dport 113 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A lannet -p udp --dport 53 -j ACCEPT
#$IPTABLES -A lannet -p tcp --dport 53 -j ACCEPT
#++++++++
#INPUT +
#++++++++
#Dns
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS1 -j ACCEPT
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS2 -j ACCEPT
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS3 -j ACCEPT
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS1 -j ACCEPT
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS2 -j ACCEPT
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS3 -j ACCEPT
#http e https
$IPTABLES -A INPUT -i $PPP -p tcp -m multiport --sports 80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT
#pop3
$IPTABLES -A INPUT -i $PPP -p tcp -m multiport --sports 110,995 -m state --state ESTABLISHED,RELATED -m limit --limit 60/min -j ACCEPT
#smtp
$IPTABLES -A INPUT -i $PPP -p tcp -m multiport --sport 25,587 -m state --state ESTABLISHED,RELATED -m limit --limit 50/min -j ACCEPT
#aMule INPUT
$IPTABLES -A INPUT -i $PPP -p tcp --dport 4662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $PPP -p udp --dport 4672 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $PPP -p udp --dport 4665 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m layer7 --l7proto edonkey -j ACCEPT
#++++++++
#OUTPUT +
#++++++++
#Dns
$IPTABLES -A OUTPUT -p udp --dport 53 -d $DNS1 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -d $DNS2 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -d $DNS3 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -d $DNS1 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -d $DNS2 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -d $DNS3 -j ACCEPT
#Http and https
$IPTABLES -A OUTPUT -p tcp -m multiport --dport 80,8080,443 -j ACCEPT
#aMule OUTPUT
$IPTABLES -A OUTPUT -p tcp --dport 4662 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4672 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4665 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4661 -j ACCEPT
$IPTABLES -A OUTPUT -m layer7 --l7proto edonkey -j ACCEPT
#Pop3
$IPTABLES -A OUTPUT -p tcp -m multiport --dport 110,995 -j ACCEPT
#Smtp
$IPTABLES -A OUTPUT -p tcp -m multiport --dport 587,25 -j ACCEPT
#Rsync (needed by urpmi)
$IPTABLES -A OUTPUT -p tcp --dport 873 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 873 -j ACCEPT
#-----------------------------------------------------------------------------
#Ftp management (Thanks to MonMotha)
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $PPP -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# The data connection in active mode
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $PPP -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# The data connection in passive mode
$IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $PPP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
# Ftp forward
$IPTABLES -A netlan -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# The data connection in active mode
$IPTABLES -A netlan -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# The data connection in passive mode
$IPTABLES -A netlan -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A lannet -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
#-----------------------------------------------------------------------------
#Icmp management
#Accet 3 incoming and outcoming icmp packets/min,drop the others (all the ping are blocked at script's begin)
$IPTABLES -A OUTPUT -p icmp -m limit --limit 3/min -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j DROP
$IPTABLES -A INPUT -p icmp -m limit --limit 3/min -j ACCEPT
$IPTABLES -A INPUT -p icmp -j DROP
#Da http://gentoo-wiki.com/HOWTO_Packet_Shaping
#adattato per regole firewall
# Constants
LOCALNET="192.168.0.0/255.255.255.0"
MARKPRIO1="1"
MARKPRIO2="2"
MARKPRIO3="3"
MARKPRIO4="4"
MARKPRIO5="5"
MARKPRIO6="6"
MARKPRIO7="7"
MARKPRIO8="8"
MARKPRIO9="9"
#Flushing mangle tables
$IPTABLES -t mangle -F OUTPUT
$IPTABLES -t mangle -F FORWARD
# Setting priority marks
# Prio 1
#dns
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark $MARKPRIO1
$IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark $MARKPRIO1
# icmp
$IPTABLES -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1
$IPTABLES -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1
#skype
$IPTABLES -t mangle -A FORWARD -m layer7 --l7proto skypeout -j MARK --set-mark $MARKPRIO1
$IPTABLES -t mangle -A FORWARD -m layer7 --l7proto skypetoskype -j MARK --set-mark $MARKPRIO1
# http
$IPTABLES -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark $MARKPRIO1
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO1
# https
$IPTABLES -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark $MARKPRIO1
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark $MARKPRIO1
# Prio 2
# non tcp
$IPTABLES -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO2
$IPTABLES -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO2
#Prio 3
# ssh
$IPTABLES -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark $MARKPRIO3
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO3
# ftp (control)
$IPTABLES -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set-mark $MARKPRIO3
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j MARK --set-mark $MARKPRIO3
# smtp
$IPTABLES -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
# Prio 4
# packets > 1024 bytes
$IPTABLES -t mangle -A FORWARD -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO4
$IPTABLES -t mangle -A OUTPUT -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO4
# Prio 9
#emule
$IPTABLES -t mangle -A OUTPUT -m layer7 --l7proto edonkey -j MARK --set-mark $MARKPRIO9
#-----------------------------------------------------------
#Constants
# Interface you want to do shaping on
# eth2, eth1 for direct connection; ppp0 or so for dsl
# and other dialup connections (check ifconfig)
IFACE=ppp0
# Priority marks
MARKPRIO1="1"
MARKPRIO2="2"
MARKPRIO3="3"
MARKPRIO4="4"
MARKPRIO5="5"
MARKPRIO6="6"
MARKPRIO7="7"
MARKPRIO8="8"
MARKPRIO9="9"
# Rates
UPRATE="240kbit"
#P2PRATE=$UPRATE
#P2PRATE="128kbit"
PRIORATE1="240kbit"
PRIORATE2="80kbit"
PRIORATE3="40kbit"
PRIORATE4="20kbit"
PRIORATE5="10kbit"
PRIORATE6="1kbit"
PRIORATE7="5kbit"
PRIORATE8="5kbit"
PRIORATE9="5kbit"
# Quantum
QUANTUM1="12187"
QUANTUM2="8625"
QUANTUM3="5062"
QUANTUM4="1500"
QUANTUM5="1000"
QUANTUM6="800"
QUANTUM7="500"
QUANTUM8="300"
QUANTUM9="100"
# Burst
BURST1="6k"
BURST2="4k"
BURST3="2k"
BURST4="2k"
BURST5="2k"
BURST6="2k"
BURST7="1k"
BURST8="1k"
BURST9="1k"
CBURST1="3k"
CBURST2="2k"
CBURST3="1k"
CBURST4="128"
CBURST5="128"
CBURST6="128"
CBURST7="64"
CBURST8="64"
CBURST9="64"
#reset queues
tc qdisc del dev ppp0 root
# Set queue length for IFACE
ifconfig $IFACE txqueuelen 16
# Specify queue discipline
tc qdisc add dev $IFACE root handle 1:0 htb default 103 r2q 1
# Set root class
tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE burst $BURST1 cburst $CBURST1
# Specify sub classes
tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil $UPRATE quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0
tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil $UPRATE quantum $QUANTUM2 burst $BURST2 cburst $CBURST2 prio 1
tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil $UPRATE quantum $QUANTUM3 burst $BURST3 cburst $CBURST3 prio 2
tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil $UPRATE quantum $QUANTUM4 burst $BURST4 cburst $CBURST4 prio 3
tc class add dev $IFACE parent 1:1 classid 1:105 htb rate $PRIORATE5 ceil $UPRATE quantum $QUANTUM5 burst $BURST5 cburst $CBURST5 prio 4
tc class add dev $IFACE parent 1:1 classid 1:106 htb rate $PRIORATE6 ceil $UPRATE quantum $QUANTUM6 burst $BURST6 cburst $CBURST6 prio 5
tc class add dev $IFACE parent 1:1 classid 1:107 htb rate $PRIORATE7 ceil $UPRATE quantum $QUANTUM7 burst $BURST7 cburst $CBURST7 prio 6
tc class add dev $IFACE parent 1:1 classid 1:108 htb rate $PRIORATE8 ceil $UPRATE quantum $QUANTUM8 burst $BURST8 cburst $CBURST8 prio 7
tc class add dev $IFACE parent 1:1 classid 1:109 htb rate $PRIORATE9 ceil $UPRATE quantum $QUANTUM9 burst $BURST9 cburst $CBURST9 prio 8
# Filter packets
tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw classid 1:101
tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw classid 1:102
tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw classid 1:103
tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw classid 1:104
tc filter add dev $IFACE parent 1:0 protocol ip prio 4 handle $MARKPRIO5 fw classid 1:105
tc filter add dev $IFACE parent 1:0 protocol ip prio 5 handle $MARKPRIO6 fw classid 1:106
tc filter add dev $IFACE parent 1:0 protocol ip prio 6 handle $MARKPRIO7 fw classid 1:107
tc filter add dev $IFACE parent 1:0 protocol ip prio 7 handle $MARKPRIO8 fw classid 1:108
tc filter add dev $IFACE parent 1:0 protocol ip prio 8 handle $MARKPRIO9 fw classid 1:109
# Add queuing disciplines
tc qdisc add dev $IFACE parent 1:101 sfq perturb 16 quantum $QUANTUM1
tc qdisc add dev $IFACE parent 1:102 sfq perturb 16 quantum $QUANTUM2
tc qdisc add dev $IFACE parent 1:103 sfq perturb 16 quantum $QUANTUM3
tc qdisc add dev $IFACE parent 1:104 sfq perturb 16 quantum $QUANTUM4
tc qdisc add dev $IFACE parent 1:105 sfq perturb 16 quantum $QUANTUM5
tc qdisc add dev $IFACE parent 1:106 sfq perturb 16 quantum $QUANTUM6
tc qdisc add dev $IFACE parent 1:107 sfq perturb 16 quantum $QUANTUM7
tc qdisc add dev $IFACE parent 1:108 sfq perturb 16 quantum $QUANTUM8
tc qdisc add dev $IFACE parent 1:109 sfq perturb 16 quantum $QUANTUM9
#------------------------------------------------------------------------------------
#------------------------------------------------------------------------------------
#Final REJECT rules for non specificated outgoing packets
$IPTABLES -A lannet -j REJECT
$IPTABLES -A OUTPUT -j REJECT
Lo sto testando da parecchio e devo dire che funziona bene,ma sono ansioso di migliorarlo (con il vostro aiuto!!).
Il prossimo passo sarà quello di aprire una alla volta le porte che mi servono in FORWARD!
Attendo commentii!!! :)
EDIT: Script aggiornato con le modiche suggerite dagli utenti intervenuti in questo post!
Aggiornato al 25/12/05 aggiunto il traffic shaping!!!!
Esperti di linux datemi dei consigli se c'è qualcosa da correggere/migliorare o aggiungere....mi sto appassionando ai firewall e ne voglio uno davvero potente!
#Making variables
IPTABLES="/usr/local/sbin/iptables"
NETWORK_IP="192.168.0.0/24"
ETH_LAN="eth1"
ETH_NET="eth0"
PPP="ppp0"
DNS1="62.211.69.150"
DNS2="212.48.4.15"
DNS3="85.37.17.12"
#Flushing all rules,chains,tables,policies.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#Reset the default policies in the nat table.
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#Reset the default policies in the mangle table.
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
#Flush all the rules in the filter and nat tables.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#Erase all chains that's not default in filter and nat table.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
#Erase all chains and the rules of all tables.
for table in nat mangle filter
do
$IPTABLES -t $table -F
$IPTABLES -t $table -X
done
#-----------------------------------------------------------------------------
#Close all the traffic
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#-----------------------------------------------------------------------------
#filter bugous ips
$IPTABLES -A INPUT -i $PPP -s 127.0.0.1 -j DROP
$IPTABLES -A INPUT -i $PPP -s 192.168.0.0/16 -j DROP
#------------------------------------------------------------------------------
#kernel's protections
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for a in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $a
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/tcp_ecn
#Fragmented packets management
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 25 > /proc/sys/net/ipv4/ipfrag_time
#Permit fpt active mode into clients
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
#-----------------------------------------------------------------------------
#MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe ip_conntrack
modprobe iptable_nat
modprobe ipt_MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $NETWORK_IP -j MASQUERADE
$IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#-----------------------------------------------------------------------------
#Accept all lan traffic
$IPTABLES -A INPUT -i $ETH_LAN -j ACCEPT
$IPTABLES -A OUTPUT -o $ETH_LAN -j ACCEPT
#-----------------------------------------------------------------------------
#Permit loopback connections
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -d 127.0.0.1 -j ACCEPT
#-----------------------------------------------------------------------------
# Drop Invalid packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
#-----------------------------------------------------------------------------
#Portscanners protections
# Drop (NMAP) scan packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Drop packets with bad tcp flags
$IPTABLES -A INPUT -p tcp --tcp-option 64 -j DROP
$IPTABLES -A INPUT -p tcp --tcp-option 128 -j DROP
$IPTABLES -A INPUT -p tcp --dport 0 -j DROP
$IPTABLES -A INPUT -p udp --dport 0 -j DROP
$IPTABLES -A INPUT -p tcp --sport 0 -j DROP
$IPTABLES -A INPUT -p udp --sport 0 -j DROP
#++++++++++++++++++++++++++++++
#Ports opening +
#++++++++++++++++++++++++++++++
#++++++++
#FORWARD+
#++++++++
#-----------------
#Entering packets-
#-----------------
$IPTABLES -N netlan #ppp0(internet) ------> ethX(lan)
$IPTABLES -A FORWARD -i $PPP -o $ETH_LAN -j netlan
#Dns
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS1 -j ACCEPT
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS2 -j ACCEPT
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS1 -j ACCEPT
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS2 -j ACCEPT
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS3 -j ACCEPT
$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS3 -j ACCEPT
# Http,https,8080
$IPTABLES -A netlan -m tcp -p tcp -m multiport --sports 80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT
# POP3
$IPTABLES -A netlan -m tcp -p tcp -m multiport --sports 110,995 -m state --state ESTABLISHED,RELATED -j ACCEPT
# SMTP
$IPTABLES -A netlan -m tcp -p tcp -m multiport --sports 25,587 -m state --state ESTABLISHED,RELATED -j ACCEPT
# FTP
$IPTABLES -A netlan -m tcp -p tcp --sport 20:21 -m state --state ESTABLISHED,RELATED -j ACCEPT
# KAZAA
$IPTABLES -A netlan -p tcp --sport 1214 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Shareaza
$IPTABLES -A netlan -p tcp --dport 6346 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p udp --dport 6346 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Soulseek
$IPTABLES -A netlan -p tcp --sport 2234:2240 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p tcp --sport 29093 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p tcp --dport 29093 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p tcp --dport 2234:2240 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p tcp --sport 5534 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A netlan -p tcp --dport 5534 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#IRC
#$IPTABLES -A netlan -p tcp --sport 6667 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A netlan -p tcp --sport 113 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p udp --sport 53 -j ACCEPT
#$IPTABLES -A netlan -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -j ACCEPT
#-----------------
#Outgoing packets-
#-----------------
$IPTABLES -N lannet #ethX(lan) ----> ppp0(internet)
$IPTABLES -A FORWARD -i $ETH_LAN -o $PPP -j lannet
#$IPTABLES -A lannet -j ACCEPT
#Dns
$IPTABLES -A lannet -p udp --dport 53 -d $DNS1 -j ACCEPT
$IPTABLES -A lannet -p udp --dport 53 -d $DNS2 -j ACCEPT
$IPTABLES -A lannet -p udp --dport 53 -d $DNS3 -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 53 -d $DNS1 -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 53 -d $DNS2 -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 53 -d $DNS3 -j ACCEPT
#Http and https
$IPTABLES -A lannet -p tcp -m multiport --dport 80,8080,443 -j ACCEPT
#Pop3
$IPTABLES -A lannet -p tcp -m multiport --dport 110,995 -j ACCEPT
#Smtp
$IPTABLES -A lannet -p tcp -m multiport --dport 587,25 -j ACCEPT
#Shareaza
$IPTABLES -A lannet -p tcp --dport 6346 -j ACCEPT
$IPTABLES -A lannet -p udp --dport 6346 -j ACCEPT
#$IPTABLES -A lannet -p tcp --sport 6346 -j ACCEPT
#$IPTABLES -A lannet -p udp --sport 6346 -j ACCEPT
#Kazaa
$IPTABLES -A lannet -p tcp --dport 1214 -j ACCEPT
#Soulseek
$IPTABLES -A lannet -p tcp --dport 2234:2240 -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 29093 -j ACCEPT
$IPTABLES -A lannet -p tcp --sport 29093 -j ACCEPT
$IPTABLES -A lannet -p tcp --sport 2234:2240 -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 5534 -j ACCEPT
$IPTABLES -A lannet -p tcp --sport 5534 -j ACCEPT
#IRC
#$IPTABLES -A lannet -p tcp --dport 6667 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A lannet -p tcp --dport 113 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A lannet -p udp --dport 53 -j ACCEPT
#$IPTABLES -A lannet -p tcp --dport 53 -j ACCEPT
#++++++++
#INPUT +
#++++++++
#Dns
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS1 -j ACCEPT
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS2 -j ACCEPT
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s $DNS3 -j ACCEPT
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS1 -j ACCEPT
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS2 -j ACCEPT
$IPTABLES -A INPUT -i $PPP -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s $DNS3 -j ACCEPT
#http e https
$IPTABLES -A INPUT -i $PPP -p tcp -m multiport --sports 80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT
#pop3
$IPTABLES -A INPUT -i $PPP -p tcp -m multiport --sports 110,995 -m state --state ESTABLISHED,RELATED -m limit --limit 60/min -j ACCEPT
#smtp
$IPTABLES -A INPUT -i $PPP -p tcp -m multiport --sport 25,587 -m state --state ESTABLISHED,RELATED -m limit --limit 50/min -j ACCEPT
#aMule INPUT
$IPTABLES -A INPUT -i $PPP -p tcp --dport 4662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $PPP -p udp --dport 4672 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $PPP -p udp --dport 4665 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m layer7 --l7proto edonkey -j ACCEPT
#++++++++
#OUTPUT +
#++++++++
#Dns
$IPTABLES -A OUTPUT -p udp --dport 53 -d $DNS1 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -d $DNS2 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -d $DNS3 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -d $DNS1 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -d $DNS2 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -d $DNS3 -j ACCEPT
#Http and https
$IPTABLES -A OUTPUT -p tcp -m multiport --dport 80,8080,443 -j ACCEPT
#aMule OUTPUT
$IPTABLES -A OUTPUT -p tcp --dport 4662 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4672 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4665 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4661 -j ACCEPT
$IPTABLES -A OUTPUT -m layer7 --l7proto edonkey -j ACCEPT
#Pop3
$IPTABLES -A OUTPUT -p tcp -m multiport --dport 110,995 -j ACCEPT
#Smtp
$IPTABLES -A OUTPUT -p tcp -m multiport --dport 587,25 -j ACCEPT
#Rsync (needed by urpmi)
$IPTABLES -A OUTPUT -p tcp --dport 873 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 873 -j ACCEPT
#-----------------------------------------------------------------------------
#Ftp management (Thanks to MonMotha)
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $PPP -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# The data connection in active mode
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $PPP -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# The data connection in passive mode
$IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $PPP -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
# Ftp forward
$IPTABLES -A netlan -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# The data connection in active mode
$IPTABLES -A netlan -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A lannet -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# The data connection in passive mode
$IPTABLES -A netlan -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A lannet -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
#-----------------------------------------------------------------------------
#Icmp management
#Accet 3 incoming and outcoming icmp packets/min,drop the others (all the ping are blocked at script's begin)
$IPTABLES -A OUTPUT -p icmp -m limit --limit 3/min -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j DROP
$IPTABLES -A INPUT -p icmp -m limit --limit 3/min -j ACCEPT
$IPTABLES -A INPUT -p icmp -j DROP
#Da http://gentoo-wiki.com/HOWTO_Packet_Shaping
#adattato per regole firewall
# Constants
LOCALNET="192.168.0.0/255.255.255.0"
MARKPRIO1="1"
MARKPRIO2="2"
MARKPRIO3="3"
MARKPRIO4="4"
MARKPRIO5="5"
MARKPRIO6="6"
MARKPRIO7="7"
MARKPRIO8="8"
MARKPRIO9="9"
#Flushing mangle tables
$IPTABLES -t mangle -F OUTPUT
$IPTABLES -t mangle -F FORWARD
# Setting priority marks
# Prio 1
#dns
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark $MARKPRIO1
$IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark $MARKPRIO1
# icmp
$IPTABLES -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1
$IPTABLES -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1
#skype
$IPTABLES -t mangle -A FORWARD -m layer7 --l7proto skypeout -j MARK --set-mark $MARKPRIO1
$IPTABLES -t mangle -A FORWARD -m layer7 --l7proto skypetoskype -j MARK --set-mark $MARKPRIO1
# http
$IPTABLES -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark $MARKPRIO1
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO1
# https
$IPTABLES -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark $MARKPRIO1
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark $MARKPRIO1
# Prio 2
# non tcp
$IPTABLES -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO2
$IPTABLES -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO2
#Prio 3
# ssh
$IPTABLES -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark $MARKPRIO3
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO3
# ftp (control)
$IPTABLES -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set-mark $MARKPRIO3
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j MARK --set-mark $MARKPRIO3
# smtp
$IPTABLES -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
# Prio 4
# packets > 1024 bytes
$IPTABLES -t mangle -A FORWARD -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO4
$IPTABLES -t mangle -A OUTPUT -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO4
# Prio 9
#emule
$IPTABLES -t mangle -A OUTPUT -m layer7 --l7proto edonkey -j MARK --set-mark $MARKPRIO9
#-----------------------------------------------------------
#Constants
# Interface you want to do shaping on
# eth2, eth1 for direct connection; ppp0 or so for dsl
# and other dialup connections (check ifconfig)
IFACE=ppp0
# Priority marks
MARKPRIO1="1"
MARKPRIO2="2"
MARKPRIO3="3"
MARKPRIO4="4"
MARKPRIO5="5"
MARKPRIO6="6"
MARKPRIO7="7"
MARKPRIO8="8"
MARKPRIO9="9"
# Rates
UPRATE="240kbit"
#P2PRATE=$UPRATE
#P2PRATE="128kbit"
PRIORATE1="240kbit"
PRIORATE2="80kbit"
PRIORATE3="40kbit"
PRIORATE4="20kbit"
PRIORATE5="10kbit"
PRIORATE6="1kbit"
PRIORATE7="5kbit"
PRIORATE8="5kbit"
PRIORATE9="5kbit"
# Quantum
QUANTUM1="12187"
QUANTUM2="8625"
QUANTUM3="5062"
QUANTUM4="1500"
QUANTUM5="1000"
QUANTUM6="800"
QUANTUM7="500"
QUANTUM8="300"
QUANTUM9="100"
# Burst
BURST1="6k"
BURST2="4k"
BURST3="2k"
BURST4="2k"
BURST5="2k"
BURST6="2k"
BURST7="1k"
BURST8="1k"
BURST9="1k"
CBURST1="3k"
CBURST2="2k"
CBURST3="1k"
CBURST4="128"
CBURST5="128"
CBURST6="128"
CBURST7="64"
CBURST8="64"
CBURST9="64"
#reset queues
tc qdisc del dev ppp0 root
# Set queue length for IFACE
ifconfig $IFACE txqueuelen 16
# Specify queue discipline
tc qdisc add dev $IFACE root handle 1:0 htb default 103 r2q 1
# Set root class
tc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE burst $BURST1 cburst $CBURST1
# Specify sub classes
tc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil $UPRATE quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0
tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil $UPRATE quantum $QUANTUM2 burst $BURST2 cburst $CBURST2 prio 1
tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil $UPRATE quantum $QUANTUM3 burst $BURST3 cburst $CBURST3 prio 2
tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil $UPRATE quantum $QUANTUM4 burst $BURST4 cburst $CBURST4 prio 3
tc class add dev $IFACE parent 1:1 classid 1:105 htb rate $PRIORATE5 ceil $UPRATE quantum $QUANTUM5 burst $BURST5 cburst $CBURST5 prio 4
tc class add dev $IFACE parent 1:1 classid 1:106 htb rate $PRIORATE6 ceil $UPRATE quantum $QUANTUM6 burst $BURST6 cburst $CBURST6 prio 5
tc class add dev $IFACE parent 1:1 classid 1:107 htb rate $PRIORATE7 ceil $UPRATE quantum $QUANTUM7 burst $BURST7 cburst $CBURST7 prio 6
tc class add dev $IFACE parent 1:1 classid 1:108 htb rate $PRIORATE8 ceil $UPRATE quantum $QUANTUM8 burst $BURST8 cburst $CBURST8 prio 7
tc class add dev $IFACE parent 1:1 classid 1:109 htb rate $PRIORATE9 ceil $UPRATE quantum $QUANTUM9 burst $BURST9 cburst $CBURST9 prio 8
# Filter packets
tc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw classid 1:101
tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw classid 1:102
tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw classid 1:103
tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw classid 1:104
tc filter add dev $IFACE parent 1:0 protocol ip prio 4 handle $MARKPRIO5 fw classid 1:105
tc filter add dev $IFACE parent 1:0 protocol ip prio 5 handle $MARKPRIO6 fw classid 1:106
tc filter add dev $IFACE parent 1:0 protocol ip prio 6 handle $MARKPRIO7 fw classid 1:107
tc filter add dev $IFACE parent 1:0 protocol ip prio 7 handle $MARKPRIO8 fw classid 1:108
tc filter add dev $IFACE parent 1:0 protocol ip prio 8 handle $MARKPRIO9 fw classid 1:109
# Add queuing disciplines
tc qdisc add dev $IFACE parent 1:101 sfq perturb 16 quantum $QUANTUM1
tc qdisc add dev $IFACE parent 1:102 sfq perturb 16 quantum $QUANTUM2
tc qdisc add dev $IFACE parent 1:103 sfq perturb 16 quantum $QUANTUM3
tc qdisc add dev $IFACE parent 1:104 sfq perturb 16 quantum $QUANTUM4
tc qdisc add dev $IFACE parent 1:105 sfq perturb 16 quantum $QUANTUM5
tc qdisc add dev $IFACE parent 1:106 sfq perturb 16 quantum $QUANTUM6
tc qdisc add dev $IFACE parent 1:107 sfq perturb 16 quantum $QUANTUM7
tc qdisc add dev $IFACE parent 1:108 sfq perturb 16 quantum $QUANTUM8
tc qdisc add dev $IFACE parent 1:109 sfq perturb 16 quantum $QUANTUM9
#------------------------------------------------------------------------------------
#------------------------------------------------------------------------------------
#Final REJECT rules for non specificated outgoing packets
$IPTABLES -A lannet -j REJECT
$IPTABLES -A OUTPUT -j REJECT
Lo sto testando da parecchio e devo dire che funziona bene,ma sono ansioso di migliorarlo (con il vostro aiuto!!).
Il prossimo passo sarà quello di aprire una alla volta le porte che mi servono in FORWARD!
Attendo commentii!!! :)
EDIT: Script aggiornato con le modiche suggerite dagli utenti intervenuti in questo post!
Aggiornato al 25/12/05 aggiunto il traffic shaping!!!!