htb - upload lezy, download działa idealnie..
Przemysław Backiel
przemyslaw.backiel w backiel.com.pl
Śro, 11 Kwi 2007, 15:10:34 CEST
Witam,
mam taki problem:
markuje sobie połączenia dla up i dla downloadu
download działa idealnie jak chce, a upload nie :(
tzn, z uploadu ok działa chyba upload p2p :D
ale www, smtp, ftp jakby się nie słuchało..
markowanie i htb wyglądają tak:
---------------------
#!/bin/sh
#Sciezka do plikow wykonywalnych
PATH="/sbin:/usr/local/sbin:$PATH"
TC=/sbin/tc
IPTABLES=/usr/sbin/iptables
IP=/sbin/ip
IF_OUT=eth0
IF_IN=eth1
case "$1" in
start)
echo "STARTING FIREWALL"
#Ladujemy moduly
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_irc
modprobe ip_nat_ftp
modprobe sch_htb
modprobe sch_sfq
modprobe sch_esfq
modprobe cls_fw
modprobe ipt_MARK
modprobe ipt_TOS
modprobe ipt_TTL
modprobe ipt_CLASSIFY
modprobe ipt_helper
modprobe ipt_ipp2p
modprobe ipt_layer7
rmmod -f imq
modprobe imq numdevs=4
#Czyscimy reguly firewalla
iptables -F
iptables -F -t nat
iptables -t nat -Z
iptables -F -t mangle
iptables -t mangle -Z
iptables -F -t raw
iptables -t raw -Z
#Zalaczamy forwarding w kernelu
echo 1 > /proc/sys/net/ipv4/ip_forward
### Zabezpieczenia ###
echo "STARTING SECURITY..."
#Bug wykryty w iptables
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
#Ochrona przed atakiem SMURF
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Nie akceptujemy pakietow "Source route"
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Nie przyjmujemy pakietow ICMP redirect,
# ktore moga zmienic nasza tablice routingu
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Wlaczamy ochrone przed blednymi pakietami ICMP error
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "SECURITY IS RUNNING"
echo "Uruchamiamy IMQ"
/sbin/ip link set imq0 down
/sbin/ip link set imq1 down
/sbin/ip link set imq2 down
/sbin/ip link set imq0 up
/sbin/ip link set imq1 up
/sbin/ip link set imq2 up
$IPTABLES -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0
$IPTABLES -t mangle -A POSTROUTING -d 192.168.134.0/24 -o ppp+ -j IMQ
--todev 1
$IPTABLES -t mangle -A PREROUTING -s 192.168.134.0/24 -i ppp+ -j IMQ
--todev 2
echo "IMQ uruchomione"
#Interfejs lokalny
iptables -A INPUT -i lo -j ACCEPT
#Przychodzace pakiety dla serwera IDENT odrzucamy z komunikatem ICMP
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with
icmp-port-unreachable
#irc szybko ma dzialac
iptables -A INPUT -p tcp -d $WAN_ADR --dport 8080 -j REJECT
--reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -d $WAN_ADR --dport 3128 -j REJECT
--reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -d $WAN_ADR --dport 1080 -j REJECT
--reject-with icmp-port-unreachable
#Wpuszczamy wszystko z LAN
iptables -A INPUT -i eth1 -s 192.168.0.0/255.255.254.0 -j ACCEPT
iptables -A INPUT -i ppp+ -j ACCEPT
iptables -A INPUT -i eth1.100 -j ACCEPT
###################WIRUS
echo "Akcja WIRUS rozpoczeta"
$IPTABLES -t raw -A PREROUTING -p tcp -m multiport --dports
135,136,137,138,139,445,1433 -j NOTRACK
$IPTABLES -t raw -A PREROUTING -p tcp -m multiport --sports
135,136,137,138,139,445,1433 -j NOTRACK
$IPTABLES -t raw -A PREROUTING -p udp -m multiport --dports
135,136,137,138,139,445,1433 -j NOTRACK
$IPTABLES -t raw -A PREROUTING -p udp -m multiport --sports
135,136,137,138,139,445,1433 -j NOTRACK
$IPTABLES -t mangle -A POSTROUTING -s 0/0 -p tcp -d 0/0 -m multiport
--dports 135,136,137,138,139,445,1433 -j DROP
$IPTABLES -t mangle -A POSTROUTING -s 0/0 -p tcp -d 0/0 -m multiport
--sports 135,136,137,138,139,445,1433 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 0/0 -p udp -d 0/0 -m multiport
--dports 135,136,137,138,139,445,1433 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 0/0 -p udp -d 0/0 -m multiport
--sports 135,136,137,138,139,445,1433 -j DROP
####################WIRUS
tutaj ustawiam FORWARDY....
#Akceptujemy polaczenia juz nawiazane
iptables -A INPUT -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p tcp -j ACCEPT -m state --state RELATED
iptables -A INPUT -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p udp -j ACCEPT -m state --state RELATED
iptables -A INPUT -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p tcp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p udp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p icmp -j ACCEPT -m state --state RELATED
#Wpuszczamy ping na interfejsie lokalnym
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -i eth1
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -i ppp+
##Uslugi na serwerze wypuszczane w swiat##
iptables -A INPUT -p tcp -d $WAN_ADR --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -d $WAN_ADR --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -d $WAN_ADR --dport 25 -j ACCEPT
iptables -A INPUT -p udp -d $WAN_ADR --dport 25 -j ACCEPT
####################################################################################
##NAT##
# ponizej nadajemy publiczne adresy IP komputerom
#
echo "MARKOWANIE DLA PAKIETU: wolny - ZAKONCZONO"
#####SNAT dla calej reszty sieci
echo "USTAWIANIE NAT DLA CALEJ SIECI"
tutaj ustawiam nat dla sieci..
#######MARKOWANIE
#########################################
# ICMP
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p icmp -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p icmp -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.0.0/23 --tcp-flags
SYN,FIN,ACK,RST ACK -m length --length 0:65 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -p tcp -d 192.168.0.0/23 --tcp-flags
SYN,FIN,ACK,RST ACK -m length --length 0:65 -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.134.0/23 --tcp-flags
SYN,FIN,ACK,RST ACK -m length --length 0:65 -j MARK --set-mark 1
$IPTABLES -t mangle -A POSTROUTING -p tcp -d 192.168.134.0/23
--tcp-flags SYN,FIN,ACK,RST ACK -m length --length 0:65 -j MARK --set-mark 1
################## UPLOAD
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -m multiport
--dports 20,21 -j MARK --set-mark 9
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m multiport
--dports 20,21 -j MARK --set-mark 9
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -m multiport
--dports 80,443 -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m multiport
--dports 80,443 -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp --dport 25 -j MARK
--set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp --dport 25 -j MARK
--set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp --dport 465 -j MARK
--set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp --dport 465 -j MARK
--set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto ftp -j
MARK --set-mark 9
#################### C O N N M A R K
echo "rusza CONNMARK"
$IPTABLES -t mangle -A PREROUTING -p tcp -i $IF_OUT -j CONNMARK
--restore-mark
$IPTABLES -t mangle -A POSTROUTING -p tcp -o $IF_OUT -j CONNMARK
--restore-mark
$IPTABLES -A PREROUTING -t mangle -m mark ! --mark 0 -j ACCEPT
echo "markujemy VoIPa"
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp -m length --length
65:66 -j MARK --set-mark 5
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m length --length
65:66 -j MARK --set-mark 5
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
skypetoskype -j MARK --set-mark 5
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
skypetoskype -j MARK --set-mark 5
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
skypeout -j MARK --set-mark 5
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
skypeout -j MARK --set-mark 5
######---KLASYFIKACJA ZE WZGLĘDU NA PORT---######
#http oraz https
#$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp -m multiport
--dports 80,443 -m mark --mark 0 -j MARK --set-mark 7;
#$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp -m multiport
--dports 80,443 -m mark --mark 0 -j MARK --set-mark 7;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp -m multiport
--sports 80,443 -m mark --mark 0 -j MARK --set-mark 7;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp -m multiport
--sports 80,443 -m mark --mark 0 -j MARK --set-mark 7;
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto http
-m mark --mark 0 -j MARK --set-mark 7
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m multiport
--dports 80,443 -m mark --mark 0 -j MARK --set-mark 7;
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -m multiport
--dports 80,443 -m mark --mark 0 -j MARK --set-mark 7;
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m multiport
--sports 80,443 -m mark --mark 0 -j MARK --set-mark 7;
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -m multiport
--sports 80,443 -m mark --mark 0 -j MARK --set-mark 7;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto ssl -j
MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto ssl -j
MARK --set-mark 7
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp -s 193.222.135.229
-m mark --mark 0 -j MARK --set-mark 7;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp -s 193.222.135.229
-m mark --mark 0 -j MARK --set-mark 7;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -d 193.222.135.229
-m mark --mark 0 -j MARK --set-mark 7;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -d 193.222.135.229
-m mark --mark 0 -j MARK --set-mark 7;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp --dport 22 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp --sport 22 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp --dport 22 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp --sport 22 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp --dport 22 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp --sport 22 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp --dport 22 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp --sport 22 -m mark
--mark 0 -j MARK --set-mark 1;
#dns
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp --dport 53 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp --sport 53 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp --dport 53 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp --sport 53 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp --dport 53 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp --sport 53 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp --dport 53 -m mark
--mark 0 -j MARK --set-mark 1;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp --sport 53 -m mark
--mark 0 -j MARK --set-mark 1;
###poczta
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp -m multiport
--sports 25,110,465,995 -j MARK --set-mark 7
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp -m multiport
--sports 25,110,465,995 -j MARK --set-mark 7
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -m multiport
--dports 25,110,465,995 -j MARK --set-mark 7
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m multiport
--dports 25,110,465,995 -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -m multiport
--dports 110,995 -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m multiport
--dports 110,995 -j MARK --set-mark 7
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
shoutcast -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
shoutcast -j MARK --set-mark 7
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
httpvideo -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
httpvideo -j MARK --set-mark 7
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
httpaudio -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
httpaudio -j MARK --set-mark 7
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
http-rtsp -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
http-rtsp -j MARK --set-mark 7
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
quicktime -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
quicktime -j MARK --set-mark 7
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
http-itunes -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
http-itunes -j MARK --set-mark 7
echo "KONIEC: markujemy shoutcasty za pomoca layer7"
#news
echo "poczatek NNTP"
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -s 81.15.128.154 -m layer7
--l7proto nntp -j MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -d 81.15.128.154 -m layer7
--l7proto nntp -j MARK --set-mark 7
$
#team speak
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
teamspeak -j MARK --set-mark 5
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
teamspeak -j MARK --set-mark 5
#vnc
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto vnc -j
MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto vnc -j
MARK --set-mark 7
#rdp
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto rdp -j
MARK --set-mark 7
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto rdp -j
MARK --set-mark 7
echo "KLASYFIKOWANIE RUCHU DLA GIER"
echo "rozne rozpoznawane gry - layer7"
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
subspace -j MARK --set-mark 4
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
subspace -j MARK --set-mark 4
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
counterstrike-source -j MARK --set-mark 4
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
counterstrike-source -j MARK --set-mark 4
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
battlefield2 -j MARK --set-mark 4
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
battlefield2 -j MARK --set-mark 4
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
battlefield1942 -j MARK --set-mark 4
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
battlefield1942 -j MARK --set-mark 4
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
halflife2-deathmatch -j MARK --set-mark 4
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
halflife2-deathmatch -j MARK --set-mark 4
echo "rozpoczynamy markowanie FTP"
# ftp pasywne - latajace po roznych portach
#$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp -m helper --helper
ftp -j MARK --set-mark 9
#$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp -m helper --helper
ftp -j MARK --set-mark 9
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -m helper --helper
ftp -j MARK --set-mark 9
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m helper --helper
ftp -j MARK --set-mark 9
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -m multiport
--dports 20,21 -j MARK --set-mark 9
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m multiport
--dports 20,21 -j MARK --set-mark 9
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto ftp -j
MARK --set-mark 9
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto ftp
-j MARK --set-mark 9
#$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp --sport 21 -j MARK
--set-mark 9
#$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp --sport 21 -j MARK
--set-mark 9
#$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp --sport 20 -j MARK
--set-mark 9
#$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp --sport 20 -j MARK
--set-mark 9
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp --dport 20 -j MARK
--set-mark 9
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp --dport 20 -j MARK
--set-mark 9
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp --dport 21 -j MARK
--set-mark 9
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp --dport 21 -j MARK
--set-mark 9
# przesyłanie plikow na irc'u - dcc
#$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m helper --helper irc -j
MARK --set-mark 9
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m helper --helper irc -j
MARK --set-mark 9
#$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m helper --helper egg -j
MARK --set-mark 9
#$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m helper --helper egg -j
MARK --set-mark 9
# to co wykryje ipp2p do 10
echo "Markujemy p2p za pomoca layer7"
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
bittorrent -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
bittorrent -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
fasttrack -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
fasttrack -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
directconnect -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
directconnect -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto edonkey
-j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
edonkey -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
gnutella -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
gnutella -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -m layer7 --l7proto
soulseek -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -m layer7 --l7proto
soulseek -j MARK --set-mark 10
echo "KONIEC: Markujemy p2p za pomoca layer7"
echo "IPP2P zostalo WLAczone"
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp -m ipp2p --gnu -j
MARK --set-mark 10;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -m ipp2p --gnu -j
MARK --set-mark 10;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp -m ipp2p --gnu -j
MARK --set-mark 10;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m ipp2p --gnu -j
MARK --set-mark 10;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p tcp -m ipp2p --kazaa -j
MARK --set-mark 10;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p tcp -m ipp2p --kazaa
-j MARK --set-mark 10;
$IPTABLES -t mangle -A PREROUTING -i $IF_OUT -p udp -m ipp2p --kazaa -j
MARK --set-mark 10;
$IPTABLES -t mangle -A POSTROUTING -o $IF_OUT -p udp -m ipp2p --kazaa
-j MARK --set-mark 10;
$IPTABLES -t mangle -A PREROUTING -p tcp -i $IF_OUT -j CONNMARK --save-mark
$IPTABLES -t mangle -A POSTROUTING -p tcp -o $IF_OUT -j CONNMARK --save-mark
echo "CONNMARK - zapisano"
TERAZ EWENTUALNE LOGOWANIE ETC...
SKRYPT HTB WYGLąDA TAK:
WEJSCIE=17500Kbit
P2P_DOWN=14800Kbit
HTTP_DOWN=16450Kbit
FTP_DOWN=6800Kbit
DEFAULT_DOWN=10800Kbit
#####WYJSCIE
WYJSCIE=11000Kbit
P2P_UP=5700Kbit
FTP_UP=5500Kbit
DEFAULT_UP=7400Kbit
/sbin/tc qdisc del dev imq0 root
/sbin/tc qdisc add dev imq0 root handle 1 htb default 50
/sbin/tc qdisc del dev eth0 root
/sbin/tc qdisc add dev eth0 root handle 1 htb default 50
/sbin/tc class add dev imq0 parent 1: classid 1:2 htb rate 90000Kbit
#
/sbin/tc class add dev imq0 parent 1:2 classid 1:95 htb rate 80000Kbit
ceil 80000Kbit prio 1
/sbin/tc qdisc add dev imq0 parent 1:95 handle 95 esfq perturb 1
/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 2 handle 16 fw
classid 1:95
#
/sbin/tc class add dev imq0 parent 1:2 classid 1:10 htb rate $WEJSCIE
ceil $WEJSCIE
/sbin/tc class add dev imq0 parent 1:10 classid 1:30 htb rate 400Kbit
ceil 900Kbit prio 1
/sbin/tc qdisc add dev imq0 parent 1:30 handle 30 esfq hash dst perturb 1
/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 1 handle 1 fw
classid 1:30
/sbin/tc class add dev imq0 parent 1:10 classid 1:40 htb rate 800Kbit
ceil 1000Kbit prio 2
/sbin/tc qdisc add dev imq0 parent 1:40 handle 40 esfq hash dst perturb 1
/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 2 handle 4 fw
classid 1:40
/sbin/tc class add dev imq0 parent 1:10 classid 1:43 htb rate 1650Kbit
ceil 8000Kbit prio 3
/sbin/tc qdisc add dev imq0 parent 1:43 handle 43 esfq hash dst perturb 1
/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 3 handle 5 fw
classid 1:43
/sbin/tc class add dev imq0 parent 1:10 classid 1:50 htb rate 50Kbit
ceil $DEFAULT_DOWN prio 12
/sbin/tc qdisc add dev imq0 parent 1:50 handle 50 esfq hash dst perturb 5
/sbin/tc class add dev imq0 parent 1:10 classid 1:60 htb rate 200Kbit
ceil 720Kbit prio 8
/sbin/tc qdisc add dev imq0 parent 1:60 handle 60 esfq hash dst perturb 10
/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 8 handle 6 fw
classid 1:60
/sbin/tc class add dev imq0 parent 1:10 classid 1:70 htb rate 250Kbit
ceil $FTP_DOWN prio 9
/sbin/tc qdisc add dev imq0 parent 1:70 handle 70 esfq perturb 10
/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 200 handle 9 fw
classid 1:70
/sbin/tc class add dev imq0 parent 1:10 classid 1:80 htb rate 450Kbit
ceil $P2P_DOWN prio 11
/sbin/tc qdisc add dev imq0 parent 1:80 handle 80 esfq hash dst perturb 5
/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 200 handle 10
fw classid 1:80
/sbin/tc class add dev imq0 parent 1:10 classid 1:90 htb rate 1000Kbit
ceil $HTTP_DOWN prio 4
/sbin/tc qdisc add dev imq0 parent 1:90 handle 90 esfq perturb 5
/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 4 handle 7 fw
classid 1:90
/sbin/tc filter add dev imq0 parent 1:0 protocol ip prio 4 handle 15 fw
classid 1:90
##############################################
/sbin/tc class add dev eth0 parent 1: classid 1:3 htb rate $WYJSCIE ceil
$WYJSCIE
/sbin/tc class add dev eth0 parent 1:3 classid 1:10 htb rate $WYJSCIE
ceil $WYJSCIE
/sbin/tc class add dev eth0 parent 1:10 classid 1:30 htb rate 400Kbit
ceil 900Kbit prio 1
/sbin/tc qdisc add dev eth0 parent 1:30 handle 30 esfq hash src perturb 1
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw
classid 1:30
/sbin/tc class add dev eth0 parent 1:10 classid 1:40 htb rate 800Kbit
ceil 1000Kbit prio 2
/sbin/tc qdisc add dev eth0 parent 1:40 handle 40 esfq hash src perturb 1
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 4 fw
classid 1:40
/sbin/tc class add dev eth0 parent 1:10 classid 1:43 htb rate 1450Kbit
ceil 8000Kbit prio 3
/sbin/tc qdisc add dev eth0 parent 1:43 handle 43 esfq hash src perturb 1
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 5 fw
classid 1:43
/sbin/tc class add dev eth0 parent 1:10 classid 1:50 htb rate 50Kbit
ceil $DEFAULT_UP prio 12
/sbin/tc qdisc add dev eth0 parent 1:50 handle 50 esfq hash src perturb 1
/sbin/tc class add dev eth0 parent 1:10 classid 1:60 htb rate 200Kbit
ceil 320Kbit prio 8
/sbin/tc qdisc add dev eth0 parent 1:60 handle 60 esfq hash src perturb 10
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 8 handle 6 fw
classid 1:60
/sbin/tc class add dev eth0 parent 1:10 classid 1:70 htb rate 1Kbit ceil
$FTP_UP prio 9
/sbin/tc qdisc add dev eth0 parent 1:70 handle 70 esfq perturb 1
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 9 fw
classid 1:70
/sbin/tc class add dev eth0 parent 1:10 classid 1:80 htb rate 1Kbit ceil
$P2P_UP prio 11
/sbin/tc qdisc add dev eth0 parent 1:80 handle 80 esfq hash src
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 200 handle 10
fw classid 1:80
/sbin/tc class add dev eth0 parent 1:10 classid 1:90 htb rate 900Kbit
ceil 8990Kbit prio 4
/sbin/tc qdisc add dev eth0 parent 1:90 handle 90 esfq hash src perturb 1
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 7 fw
classid 1:90
/sbin/tc filter add dev eth0 parent 1:0 protocol ip prio 4 handle 15 fw
classid 1:90
-----------------------------------------------
skrypt HTB zamiesciłem cały, ze skryptu iptables wywaliłęm troche
rzeczy, zaciemniających obraz...
download działa tak jak chce..
upload tak nie działą :(
w czym tkwi błąd?
--
Z powazaniem
Przemyslaw Backiel
Więcej informacji o liście dyskusyjnej pld-users-pl