#!/bin/sh # debug #set -x #source ${0%firewall.sh}firewall.conf.new source /root/bin/firewall.conf.new # Moduly do FTP i IRCa modprobe ip_nat_ftp modprobe ip_nat_irc # Uruchomienie przekazywania pakietow /bin/echo "1" > /proc/sys/net/ipv4/ip_forward # Disable ping echo replay #/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # Protect from Smurf attack /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept "source route" packets /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route # Don't accept ICMP packets, which can change our routing table /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # protection from bogus error responses of ICMP packets /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # logging wired packets (spoofed, source routed, redirects) /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians # syncookies /bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies # TCP_ECN /bin/echo "1" > /proc/sys/net/ipv4/tcp_ecn # Tcp timestamps protection /bin/echo "0" > /proc/sys/net/ipv4/tcp_timestamps # Limitowanie sesji tcp /bin/echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout #/bin/echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time /bin/echo "7" > /proc/sys/net/ipv4/tcp_keepalive_probes # 9 #/bin/echo "1" > /proc/sys/net/ipv4/tcp_window_scaling #gbit łącza #/bin/echo "0" > /proc/sys/net/ipv4/tcp_sack #/bin/echo "20480" > /proc/sys/net/ipv4/ip_conntrack_max /bin/echo "20" > /proc/sys/net/ipv4/ipfrag_time #/bin/echo "1280" > /proc/sys/net/ipv4/tcp_max_syn_backlog echo "Czyszczenie tablic iptables..." $IPT -F $IPT -X $IPT -Z $IPT -F -t nat $IPT -X -t nat $IPT -F -t filter $IPT -X -t filter $IPT -F -t mangle $IPT -X -t mangle echo "Resetowanie kolejkowania..." $TC qdisc del root dev $IF_INET 2> /dev/null $TC qdisc del root dev $IF_INET2 2> /dev/null $TC qdisc del root dev $IF_LAN 2> /dev/null $TC qdisc del root dev $IF_DN 2> /dev/null $TC qdisc del root dev $IF_UP 2> /dev/null # ustawienie domyslnej polityki $IPT -t filter -P INPUT DROP $IPT -t filter -P FORWARD DROP # Odrzucanie i brak zezwolenia na forwardowanie pakietow $IPT -t filter -P OUTPUT ACCEPT # Polaczenia nawiazane $IPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT $IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # wykrywanie skanowania NULL $IPT -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "SKAN_NULL: " $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # wszystkie pakiety uznane za NEW bez flagi SYN sa podejrzane #$IPT -N skany #$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j skany #$IPT -A skany -p tcp --tcp-flags ALL RST -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "SKAN_INVERSE: " #$IPT -A skany -p tcp --tcp-flags ALL RST -j DROP #$IPT -A skany -p tcp --tcp-flags ALL ACK -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "SKAN_TCP_PING: " #$IPT -A skany -p tcp --tcp-flags ALL ACK -j DROP #$IPT -A skany -p tcp --tcp-flags ALL FIN -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "SKAN_FIN: " #$IPT -A skany -p tcp --tcp-flags ALL FIN -j DROP #$IPT -A skany -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "SKAN_XMAS-NMAP: " #$IPT -A skany -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP #$IPT -A skany -p tcp -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "SKAN_INNE: " #$IPT -A skany -j DROP # Lancuch syn-flood (obrona przed DoS) #$IPT -N syn-flood #$IPT -A INPUT -i $IF_INET -p tcp --syn -j syn-flood #$IPT -A syn-flood -m limit --limit 2/s --limit-burst 5 -j RETURN #$IPT -A syn-flood -m limit --limit 2/s --limit-burst 5 -j LOG --log-level debug --log-prefix "SYN-FLOOD: " #$IPT -A syn-flood -j DROP # Blokowanie polaczen NEW z flaga inna niz syn $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Odrzucanie pakietow pofragmentowanych $IPT -A INPUT -f -j DROP # Odrzucanie polaczen w stanie INVALID $IPT -A INPUT -m state --state INVALID -j DROP # ping of death $IPT -A INPUT -i $IF_INET -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 4 -j ACCEPT #$IPT -A INPUT -p icmp --icmp-type echo-request -j LOG --log-level debug --log-prefix "PING_OF_DEATH: " $IPT -A INPUT -i $IF_INET -p icmp --icmp-type echo-request -j DROP # Limit polaczen na $PORTY do $ILE na minutę if [ ! "$PORTY_LIMIT" == "" ]; then echo "Limit polaczeń na porty: "$PORTY_LIMIT" do "$PORTY_LIMIT_ILE" na minutę" HITCOUNT=$PORTY_LIMIT_ILE+1 for p in $PORTY_LIMIT ; do $IPT -A INPUT -p tcp --dport $p -i $IF_INET -m state --state NEW -m recent --set --name TCP$p $IPT -A INPUT -p tcp --dport $p -i $IF_INET -m state --state NEW -m recent --update --name TCP$p --seconds 60 --hitcount $HITCOUNT -j DROP done fi # INET - Zezwolenie ruchu na wybranych portach TCP if [ ! "$INPUT_TCP" == "" ]; then echo $IF_INET "- akceptacja na wejściu TCP dla portów: "$INPUT_TCP for i in $INPUT_TCP ; do $IPT -A INPUT -i $IF_INET -p tcp --dport $i -j ACCEPT done fi # INET - Zezwolenie ruchu na wybranych portach UDP if [ ! "$INPUT_UDP" == "" ]; then echo $IF_INET "- akceptacja na wejściu UDP dla portów: "$INPUT_UDP for i in $INPUT_UDP ; do $IPT -A INPUT -i $IF_INET -p udp --dport $i -j ACCEPT done fi $IPT -A INPUT -i $IF_LAN -j ACCEPT # olewanie wszystkiego na 127.1.2.3 $IPT -A INPUT -p tcp -d 127.1.2.3 -j REJECT --reject-with tcp-rst $IPT -A INPUT -i lo -j ACCEPT # IPv6 $IPT -A INPUT -j ACCEPT --proto 41 # Zwracamy TCP_RESET dla pozostalych polaczen $IPT -A INPUT -p tcp -i $IF_INET -j REJECT --reject-with tcp-reset $IPT -A INPUT -p udp -i $IF_INET -j REJECT --reject-with icmp-port-unreachable # albo olewamy - DROP #$IPT -A INPUT -i $IF_INET -j DROP $IPT -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -p udp -m state --state ESTABLISHED -j ACCEPT $IPT -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT # Blokowanie polaczen NEW z flaga inna niz syn $IPT -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP # Odrzucanie pakietow pofragmentowanych $IPT -A FORWARD -f -j DROP # Odrzucanie polaczen w stanie INVALID $IPT -A FORWARD -m state --state INVALID -j DROP if [ ! "$PINGLIMIT" == "" ]; then for i in $PINGLIMIT ; do $IPT -t filter -A FORWARD -o $IF_INET -s $SIEC.$i -p icmp --icmp-type echo-request -m limit --limit 1/sec --limit-burst 6 -j ACCEPT $IPT -t filter -A FORWARD -o $IF_INET -s $SIEC.$i -p icmp --icmp-type echo-request -j REJECT done fi # Limit polaczen if [ ! "$CONNLIMIT_ABOVE" == "" ]; then $IPT -t filter -A FORWARD -s $SIEC/$MASKA -p tcp --syn -m connlimit --connlimit-above $CONNLIMIT_ABOVE --connlimit-mask 32 -j $CONNLIMIT_WITH fi #if [ ! "$CONNLIMIT" == "" ]; then # echo "connlimit dla "$CONNLIMIT # for i in $CONNLIMIT ; do # $IPT -t filter -A FORWARD -o $IF_INET -s $SIEC.$i -p TCP --dport ! 80 --syn -m connlimit --connlimit-above $CONNLIMIT_ABOVE -j $CONNLIMIT_WITH # done #fi # blokada P2P modprobe ipt_ipp2p if [ ! "$P2P_DENY" == "" ]; then echo "Blokada P2P dla: "$P2P_DENY if [ "$P2P_DENY"="all" ]; then echo "p2p dopuszczone dla: "$P2P_ACCEPT for i in $P2P_ACCEPT ; do #$IPT -t filter -A FORWARD -s $SIEC.$i -m ipp2p $P2P_DENY_NET -j ACCEPT $IPT -t filter -A FORWARD -s $SIEC.$i -m mark --mark 256 -j ACCEPT $IPT -t filter -A FORWARD -d $SIEC.$i -m mark --mark 256 -j ACCEPT done #$IPT -t filter -A FORWARD -m ipp2p $P2P_DENY_NET -j $P2P_DENY_WITH $IPT -t filter -A FORWARD -m mark --mark 256 -j $P2P_DENY_WITH fi else for i in $P2P_DENY ; do #$IPT -t filter -A FORWARD -s $SIEC.$i -m ipp2p $P2P_DENY_NET -j $P2P_DENY_WITH $IPT -t filter -A FORWARD -s $SIEC.$i -m mark --mark 256 -j $P2P_DENY_WITH $IPT -t filter -A FORWARD -d $SIEC.$i -m mark --mark 256 -j $P2P_DENY_WITH done fi # blokada forwardowania ruchu do wybranych portow if [ ! "$PORTY_BLOKADA" == "" ]; then echo "Blokada forwardowania ruchu do portów: "$PORTY_BLOKADA for i in $PORTY_BLOKADA ; do $IPT -t filter -A FORWARD -o $IF_INET -p tcp --dport $i -j DROP $IPT -t filter -A FORWARD -o $IF_INET -p udp --dport $i -j DROP done fi # ARP if [ ! "$MAC" == "" ]; then echo "Ładowanie adresów MAC do tablicy ARP z /etc/ethers" /sbin/arp -f $MAC fi if [ ! "$CLEAN_ARP" == "" ]; then echo "Czyszczenie wpisów w tablicy ARP dla: "$CLEAN_ARP for i in $CLEAN_ARP ; do $ARP -d $SIEC.$i done fi # Automatyczne rozpoznawanie MTU #$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Przepuszczanie pakietow z sieci lub przeznaczone dla sieci if [ "$FORWARD" == "all" ]; then echo "FORWARD dla całej sieci" $IPT -t filter -A FORWARD -s $SIEC.0/$MASKA -d 0/0 -j ACCEPT $IPT -t filter -A FORWARD -s 0/0 -d $SIEC.0/$MASKA -j ACCEPT else echo "FORWARD dla VIP: "$VIP for i in $VIP ; do $IPT -t filter -A FORWARD -s $SIEC.$i -d 0/0 -j ACCEPT $IPT -t filter -A FORWARD -s 0/0 -d $SIEC.$i -j ACCEPT done echo "FORWARD dla USER: "$USER for i in $USER ; do $IPT -t filter -A FORWARD -s $SIEC.$i -d 0/0 -j ACCEPT $IPT -t filter -A FORWARD -s 0/0 -d $SIEC.$i -j ACCEPT done fi # Maskarada #$IPT -t nat -A POSTROUTING -o $IF_INET -s $SIEC.0/$MASKA -j MASQUERADE # DNS if [ ! "$DNS" == "" ]; then $IPT -t nat -A PREROUTING -i $IF_LAN -s $SIEC.0/$MASKA -d ! $SERWER -p UDP --dport 53 -j DNAT --to $DNS:53 $IPT -t nat -A PREROUTING -i $IF_LAN -s $SIEC.0/$MASKA -d ! $SERWER -p TCP --dport 53 -j DNAT --to $DNS:53 fi # P2P nie idzie przez squida ani do/z portu 80 $IPT -t nat -A PREROUTING -i $IF_LAN -p tcp --dport 80 -m ipp2p --ipp2p -j DROP $IPT -t filter -A INPUT -p tcp --dport 80 -m ipp2p --ipp2p -j REJECT # Limit polaczen na port 80 if [ ! "$CONNLIMIT80" == "" ]; then echo "connlimit na port 80 dla "$CONNLIMIT80 for i in $CONNLIMIT80 ; do $IPT -t nat -A PREROUTING -i $IF_LAN -s $SIEC.$i -p TCP --dport 80 --syn -m connlimit --connlimit-above $CONNLIMIT80_ABOVE -j $CONNLIMIT80_WITH done fi #$IPT -t nat -A PREROUTING -i $IF_LAN -d 194.9.223.6 -p tcp --dport 80 -j RETURN $IPT -t nat -A PREROUTING -i $IF_LAN -d 194.9.223.0/24 -p tcp --dport 80 -j RETURN # Squid transparent proxy if [ ! "$SQUID_PORT" == "" ]; then echo -n "Squid transparent proxy na porcie "$SQUID_PORT if [ "$SQUID_FOR" == "ALL" ]; then echo " dla całej sieci" $IPT -t nat -A PREROUTING -i $IF_LAN -d ! $SERWER -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # $IPT -t nat -A PREROUTING -i $IF_LAN -d ! $SERWER -p tcp --dport 80 -j DNAT --to 10.10.10.2:3128 else echo " dla "$SQUID_FOR for i in $SQUID_FOR ; do $IPT -t nat -A PREROUTING -i $IF_LAN -s $SIEC.$i -d ! $SERWER -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT # $IPT -t nat -A PREROUTING -s $SIEC.$i -d ! $SERWER -p tcp --dport 80 -j DNAT --to 10.10.10.2:3128 done fi fi # TTL #echo "TTL=64" #$IPT -t mangle -A POSTROUTING -j TTL --ttl-set 64 # TOS echo "Ustawianie TOS..." #$IPT -t mangle -A PREROUTING -i $IF_LAN -j TOS --set-tos 0 # na wejściu z lanu zerujemy $IPT -t mangle -A FORWARD -p all -j TOS --set-tos 0 # w FORWARDZIE zerujemy # na wyjściu do internetu ustawiamy $IPT -t mangle -A POSTROUTING -o $IF_INET -p tcp --dport 20 -j TOS --set-tos 8 # FTP data $IPT -t mangle -A POSTROUTING -o $IF_INET -p tcp --dport 21 -j TOS --set-tos 16 # FTP control $IPT -t mangle -A POSTROUTING -o $IF_INET -p tcp --dport 22 -j TOS --set-tos 16 # SSH $IPT -t mangle -A POSTROUTING -o $IF_INET -p tcp --dport 23 -j TOS --set-tos 16 # Telnet $IPT -t mangle -A POSTROUTING -o $IF_INET -p tcp --dport 25 -j TOS --set-tos 8 # SMTP $IPT -t mangle -A POSTROUTING -o $IF_INET -p tcp --dport 53 -j TOS --set-tos 16 # DNS $IPT -t mangle -A POSTROUTING -o $IF_INET -p udp --dport 53 -j TOS --set-tos 16 # DNS $IPT -t mangle -A POSTROUTING -o $IF_INET -p tcp --dport 80 -j TOS --set-tos 8 # HTTP #$IPT -t mangle -A POSTROUTING -o $IF_LAN -j TOS --set-tos 0 USERS=0 for i in $VIP ; do USERS=$[$USERS+1] done for i in $USER ; do USERS=$[$USERS+1] done echo "Uruchamianie kolejkowania dla $USERS uzytkownikow..." ### DOWNLOAD ######################################################################## $TC qdisc add dev $IF_LAN root handle 1:0 htb default 303 $TC class add dev $IF_LAN parent 1:0 classid 1:301 htb rate $[$LAN_SPEED]Mbit ceil $[$LAN_SPEED]Mbit quantum $QUANTUM # klasa inet $TC class add dev $IF_LAN parent 1:301 classid 1:302 htb rate $[$DOWNLOAD2]kbit ceil $[$DOWNLOAD2]kbit quantum $QUANTUM # Klasa PRIO $TC class add dev $IF_LAN parent 1:302 classid 1:310 htb prio 1 rate $[$PRIO_DN_RATE]kbit ceil $[$PRIO_DN_CEIL]kbit quantum $QUANTUM $TC qdisc add dev $IF_LAN parent 1:310 sfq perturb 5 #$SCH $DST # Filtry klasy PRIO $TC filter add dev $IF_LAN parent 1:0 protocol ip prio 1 u32 match ip sport 222 0xffff flowid 1:310 # SSH $TC filter add dev $IF_LAN parent 1:0 protocol ip prio 1 u32 match ip sport 22 0xffff flowid 1:310 # SSH $TC filter add dev $IF_LAN parent 1:0 protocol ip prio 1 u32 match ip sport 53 0xffff flowid 1:310 # DNS $TC filter add dev $IF_LAN parent 1:0 protocol ip prio 1 u32 match ip protocol 1 0xff flowid 1:310 # ICMP #$TC filter add dev $IF_LAN parent 1:0 protocol ip prio 1 handle 255 fw flowid 1:310 # skype #$TC filter add dev $IF_LAN parent 1:0 protocol ip prio 1 u32 match ip tos 0x10 0xff flowid 1:310 # TOS 0x10 # klasa LAN $TC class add dev $IF_LAN parent 1:301 classid 1:303 htb prio 6 rate 1Mbit ceil $[$LAN_SPEED-3]Mbit quantum $QUANTUM $TC qdisc add dev $IF_LAN parent 1:303 sfq #$SCH $DST #klasa z $IF_INET p2p $TC class add dev $IF_LAN parent 1:301 classid 1:304 htb prio 5 rate $[$DOWNLOAD]kbit ceil $[$DOWNLOAD]kbit quantum $QUANTUM $TC qdisc add dev $IF_LAN parent 1:304 esfq perturb 8 hash dst $TC filter add dev $IF_LAN parent 1:0 protocol ip prio 3 handle 256 fw flowid 1:304 $TC filter add dev $IF_LAN parent 1:0 protocol ip prio 3 handle 257 fw flowid 1:304 # klasa SAMBY #$TC class add dev $IF_LAN parent 1:301 classid 1:304 htb prio 7 rate 1Mbit ceil $[$SMB_MAX]Mbit quantum $QUANTUM #$TC qdisc add dev $IF_LAN parent 1:304 sfq #$SCH $DST #$IPT -t mangle -A OUTPUT -o $IF_LAN -s $SERWER -d $SIEC.0/$MASKA -p tcp --sport 139 -j MARK --set-mark 304 #$IPT -t mangle -A OUTPUT -o $IF_LAN -s $SERWER -d $SIEC.0/$MASKA -p tcp --sport 445 -j MARK --set-mark 304 #$TC filter add dev $IF_LAN parent 1:0 protocol ip prio 5 handle 304 fw flowid 1:304 # znakujemy pakiety Z serwera DO LAN (za wyjatkiem tych ze squida) $IPT -t mangle -A OUTPUT -o $IF_LAN -s $SERWER -d $SIEC.0/$MASKA -p tcp --sport ! 3128 -j MARK --set-mark 303 $IPT -t mangle -A OUTPUT -o $IF_LAN -s $SERWER -d $SIEC.0/$MASKA -p tcp --sport ! 3128 -j RETURN $IPT -t mangle -A OUTPUT -o $IF_LAN -s $SERWER -d $SIEC.0/$MASKA -p udp -j MARK --set-mark 303 $IPT -t mangle -A OUTPUT -o $IF_LAN -s $SERWER -d $SIEC.0/$MASKA -p udp -j RETURN ####$IPT -t mangle -A OUTPUT -s 83.14.69.98 -d $SIEC.0/$MASKA -j MARK --set-mark 303 ####$IPT -t mangle -A OUTPUT -s 83.14.69.98 -d $SIEC.0/$MASKA -j RETURN # squid transparent proxy + ZPH patch # HIT (czyli to co jest juz w cache) ze squida leci klasa LAN #$TC filter add dev $IF_LAN parent 1:0 protocol ip prio 2 u32 match ip protocol 0x6 0xff match u32 0x8804ABCD 0xffffffff at 20 flowid 1:303 $TC filter add dev $IF_LAN parent 1:0 protocol ip prio 2 u32 match ip protocol 0x6 0xff match ip tos 0x8 0xff flowid 1:303 ####$IPT -t mangle -A POSTROUTING -o $IF_LAN -p tcp --sport 3128 -m tos --tos 0x8 -j MARK --set-mark 403 # HITy do statystyk # oznakowane pakiety kierujemy do klasy LAN $TC filter add dev $IF_LAN parent 1:0 protocol ip prio 3 handle 303 fw flowid 1:303 ### KLASY - DOWNLOAD ### USER_DN_RATE=$[($DOWNLOAD2-$PRIO_DN_RATE)/$USERS] USER_DN_RATE=$[$USER_DN_RATE]kbit echo "User download rate: "$USER_DN_RATE USER_DN_CEIL=$[$USER_DN_CEIL]kbit echo "User download ceil: "$USER_DN_CEIL VIP_DN_CEIL=$[$VIP_DN_CEIL]kbit echo "VIP download ceil : "$VIP_DN_CEIL # underconstruction by mariusz # ADMINS_DN_CEIL=$[ADMINS_DN_CEIL]kbit # echo "ADMINS download ceil : "$ADMINS_DN_CEIL #for i in $ADMINS ; do # $TC class add dev $IF_LAN parent 1:302 classid 1:$i htb prio 3 rate $USER_DN_RATE ceil $ADMINS_DN_CEIL quantum $QUANTUM # $TC filter add dev $IF_LAN protocol ip prio 3 parent 1:0 u32 match ip dst $SIEC.$i flowid 1:$i # $TC qdisc add dev $IF_LAN parent 1:$i $SCH $SRC #done # for i in $VIP ; do $TC class add dev $IF_LAN parent 1:302 classid 1:$i htb prio 4 rate $USER_DN_RATE ceil $VIP_DN_CEIL quantum $QUANTUM $TC filter add dev $IF_LAN protocol ip prio 4 parent 1:0 u32 match ip dst $SIEC.$i flowid 1:$i $TC qdisc add dev $IF_LAN parent 1:$i $SCH $SRC done for i in $USER ; do $TC class add dev $IF_LAN parent 1:302 classid 1:$i htb prio 4 rate $USER_DN_RATE ceil $USER_DN_CEIL quantum $QUANTUM $TC filter add dev $IF_LAN protocol ip prio 4 parent 1:0 u32 match ip dst $SIEC.$i flowid 1:$i $TC qdisc add dev $IF_LAN parent 1:$i $SCH $SRC done ### RUCH WYCHODZACY ########################################################################### $TC qdisc add dev $IF_INET root handle 2:0 htb default 302 $TC class add dev $IF_INET parent 2:0 classid 2:300 htb rate ${UPLOAD}kbit ceil ${UPLOAD}kbit quantum $QUANTUM # Klasa PRIO1 $TC class add dev $IF_INET parent 2:300 classid 2:301 htb prio 1 rate ${PRIO1_UP_RATE}kbit ceil ${PRIO1_UP_CEIL}kbit quantum $QUANTUM $TC qdisc add dev $IF_INET parent 2:301 sfq #perturb 5 #$SCH $SRC # Filtry klasy PRIO1 $TC filter add dev $IF_INET parent 2:0 protocol ip prio 1 u32 match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 2:301 # ACK $TC filter add dev $IF_INET parent 2:0 protocol ip prio 1 u32 match ip dport 53 0xffff flowid 2:301 # do DNS $TC filter add dev $IF_INET parent 2:0 protocol ip prio 1 u32 match ip sport 53 0xffff flowid 2:301 # z DNS $TC filter add dev $IF_INET parent 2:0 protocol ip prio 1 u32 match ip dport 22 0xffff flowid 2:301 # do SSH $TC filter add dev $IF_INET parent 2:0 protocol ip prio 1 u32 match ip sport 22 0xffff flowid 2:301 # z SSH $TC filter add dev $IF_INET parent 2:0 protocol ip prio 1 u32 match ip protocol 1 0xff flowid 2:301 # ICMP $TC filter add dev $IF_INET parent 2:0 protocol ip prio 1 u32 match ip dport 222 0xffff flowid 2:301 # do SSH $TC filter add dev $IF_INET parent 2:0 protocol ip prio 1 u32 match ip sport 222 0xffff flowid 2:301 # z SSH # Serwer + ruch mniej priorytetowy --> Internet $TC class add dev $IF_INET parent 2:300 classid 2:302 htb prio 2 rate ${SERWER_UP_RATE}kbit ceil ${SERWER_UP_CEIL}kbit quantum $QUANTUM $IPT -t mangle -A OUTPUT -o $IF_INET -p tcp -j MARK --set-mark 302 #--sport ! 80 $IPT -t mangle -A OUTPUT -o $IF_INET -p udp -j MARK --set-mark 302 $TC filter add dev $IF_INET parent 2:0 protocol ip prio 2 handle 302 fw flowid 2:302 # wszystko z serwera $TC filter add dev $IF_INET parent 2:0 protocol ip prio 2 handle 255 fw flowid 2:302 # skype $TC qdisc add dev $IF_INET parent 2:302 $SCH $DST ### RUCH WYCHODZACY LACZE 2 ########################################################################### $TC qdisc add dev $IF_INET2 root handle 2:0 htb default 302 $TC class add dev $IF_INET2 parent 2:0 classid 2:300 htb rate ${UPLOAD2}kbit ceil ${UPLOAD2}kbit quantum $QUANTUM # Klasa PRIO1 $TC class add dev $IF_INET2 parent 2:300 classid 2:301 htb prio 1 rate ${PRIO1_UP_RATE2}kbit ceil ${PRIO1_UP_CEIL2}kbit quantum $QUANTUM $TC qdisc add dev $IF_INET2 parent 2:301 sfq #perturb 5 #$SCH $SRC # Filtry klasy PRIO1 $TC filter add dev $IF_INET2 parent 2:0 protocol ip prio 1 u32 match ip protocol 6 0xff \ match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 2:301 # ACK $TC filter add dev $IF_INET2 parent 2:0 protocol ip prio 1 u32 match ip dport 53 0xffff flowid 2:301 # do DNS $TC filter add dev $IF_INET2 parent 2:0 protocol ip prio 1 u32 match ip sport 53 0xffff flowid 2:301 # z DNS $TC filter add dev $IF_INET2 parent 2:0 protocol ip prio 1 u32 match ip dport 22 0xffff flowid 2:301 # do SSH $TC filter add dev $IF_INET2 parent 2:0 protocol ip prio 1 u32 match ip sport 22 0xffff flowid 2:301 # z SSH $TC filter add dev $IF_INET2 parent 2:0 protocol ip prio 1 u32 match ip protocol 1 0xff flowid 2:301 # ICMP $TC filter add dev $IF_INET2 parent 2:0 protocol ip prio 1 u32 match ip dport 222 0xffff flowid 2:301 # do SSH $TC filter add dev $IF_INET2 parent 2:0 protocol ip prio 1 u32 match ip sport 222 0xffff flowid 2:301 # z SSH # Serwer + ruch mniej priorytetowy --> Internet $TC class add dev $IF_INET2 parent 2:300 classid 2:302 htb prio 2 rate ${SERWER_UP_RATE2}kbit ceil ${SERWER_UP_CEIL2}kbit quantum $QUANTUM $IPT -t mangle -A OUTPUT -o $IF_INET2 -p tcp -j MARK --set-mark 302 #--sport ! 80 $IPT -t mangle -A OUTPUT -o $IF_INET2 -p udp -j MARK --set-mark 302 $TC filter add dev $IF_INET2 parent 2:0 protocol ip prio 2 handle 302 fw flowid 2:302 # wszystko z serwera $TC filter add dev $IF_INET2 parent 2:0 protocol ip prio 2 handle 255 fw flowid 2:302 # skype $TC qdisc add dev $IF_INET2 parent 2:302 $SCH $DST ### KLASY - UPLOAD ### USER_UP_CEIL=${USER_UP_CEIL}kbit echo "User upload ceil: "$USER_UP_CEIL VIP_UP_CEIL=${VIP_UP_CEIL}kbit echo "VIP upload ceil : "$VIP_UP_CEIL USER_UP_RATE=$[($UPLOAD-$PRIO1_UP_RATE-$SERWER_UP_RATE)/$USERS] # gwarantowany upload userow USER_UP_RATE=${USER_UP_RATE}kbit echo "User/VIP upload rate: "$USER_UP_RATE $IPT -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPT -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT $IPT -t mangle -A PREROUTING -m layer7 --l7proto skypetoskype -j MARK --set-mark 255 $IPT -t mangle -A PREROUTING -i $IF_INET -j MARK --set-mark 257 $IPT -t mangle -A PREROUTING -m ipp2p --ipp2p -j MARK --set-mark 256 $IPT -t mangle -A PREROUTING -m mark --mark 255 -j CONNMARK --save-mark $IPT -t mangle -A PREROUTING -m mark --mark 256 -j CONNMARK --save-mark $IPT -t mangle -A FORWARD -m mark --mark 255 -j RETURN $IPT -t mangle -A FORWARD -m mark --mark 256 -j RETURN $IPT -t mangle -A FORWARD -m mark --mark 257 -j RETURN # Na drugie lacze #ip rule add fwmark 280 table 1 #marki #ip rule add fwmark 255 table 1 #skype #$IPT -t nat -A POSTROUTING -o $IF_INET -j SNAT --to-source 10.10.10.1 #$IPT -t nat -A POSTROUTING -o $IF_INET2 -j SNAT --to-source 83.14.69.103 $IPT -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE $IPT -t nat -A POSTROUTING -o $IF_INET2 -j MASQUERADE $IPT -t filter -A INPUT -i $IF_INET2 -j ACCEPT $IPT -t mangle -A PREROUTING -p tcp --sport 80 -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p 41 -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p tcp --dport 53 -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark 280 $IPT -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 280 $IPT -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 280 $IPT -t mangle -A PREROUTING -p tcp --dport 6666 -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p tcp --dport 6666 -j MARK --set-mark 280 $IPT -t mangle -A PREROUTING -p tcp --dport 6667 -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p tcp --dport 6667 -j MARK --set-mark 280 $IPT -t mangle -A PREROUTING -p tcp --dport 7171 -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p tcp --dport 7171 -j MARK --set-mark 280 $IPT -t mangle -A PREROUTING -p icmp -j MARK --set-mark 280 $IPT -t mangle -A OUTPUT -p icmp -j MARK --set-mark 280 #$IPT -t mangle -A PREROUTING -d 88.86.109.241 -j MARK --set-mark 280 #$IPT -t mangle -A OUTPUT -d 88.86.109.241 -j MARK --set-mark 280 $IPT -t mangle -A POSTROUTING -s 88.86.109.241 -j TOS --set-tos 8 # dsl.cz #$IPT -t mangle -I PREROUTING -d 83.13.41.154 -j TOS --set-tos 2 #if [ ! "$P2P_ACCEPT"="" ]; then # P2P_UP_CEIL=${P2P_UP_CEIL}kbit # echo "P2P upload ceil : "$P2P_UP_CEIL # $TC class add dev $IF_INET parent 2:300 classid 2:256 htb prio 5 rate 1kbit ceil $P2P_UP_CEIL quantum $QUANTUM # $TC filter add dev $IF_INET parent 2:0 protocol ip prio 3 handle 256 fw flowid 2:256 # $TC qdisc add dev $IF_INET parent 2:256 $SCH #$DST #fi #$IPT -t mangle -A POSTROUTING -m mark --mark 256 -j CLASSIFY --set-class 2:256 #$IPT -t mangle -A POSTROUTING -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:12 for i in $VIP ; do $TC class add dev $IF_INET parent 2:300 classid 2:$i htb prio 4 rate $USER_UP_RATE ceil $VIP_UP_CEIL quantum $QUANTUM # znakowanie pakietow - upload $IPT -t mangle -A FORWARD -s $SIEC.$i -o $IF_INET -j MARK --set-mark $i $IPT -t mangle -A FORWARD -s $SIEC.$i -o $IF_INET -j RETURN # filtry - upload $TC filter add dev $IF_INET parent 2:0 protocol ip prio 4 handle $i fw flowid 2:$i # harmonogram pakietow - upload $TC qdisc add dev $IF_INET parent 2:$i $SCH #$DST done for i in $USER ; do $TC class add dev $IF_INET parent 2:300 classid 2:$i htb prio 4 rate $USER_UP_RATE ceil $USER_UP_CEIL quantum $QUANTUM # znakowanie pakietow - upload $IPT -t mangle -A FORWARD -s $SIEC.$i -o $IF_INET -j MARK --set-mark $i $IPT -t mangle -A FORWARD -s $SIEC.$i -o $IF_INET -j RETURN # filtry - upload $TC filter add dev $IF_INET parent 2:0 protocol ip prio 4 handle $i fw flowid 2:$i # harmonogram pakietow - upload $TC qdisc add dev $IF_INET parent 2:$i $SCH #$DST done # Zewnetrzne IP #$IPT -t nat -A PREROUTING -i $IF_INET -d 83.14.69.99 -j DNAT --to-destination 192.168.97.2 #$IPT -t nat -A POSTROUTING -o $IF_INET -s 192.168.97.2 -j SNAT --to-source 83.14.69.99 # Przekierowanie portów for ip in $PORT_FWD ; do zakres=$ip if [ `echo -n $zakres | wc -m` = 1 ] ; then zakres=0$ip fi $IPT -t nat -A PREROUTING -i $IF_INET -p tcp --dport 5$zakres\00:5$zakres\99 -j DNAT --to $SIEC.$ip $IPT -t nat -A PREROUTING -i $IF_INET -p udp --dport 5$zakres\00:5$zakres\99 -j DNAT --to $SIEC.$ip done #for ip in $VIP ; do # zakres=$ip # if [ `echo -n $zakres | wc -m` = 1 ] ; then # zakres=0$ip # fi # # if [ `echo -n $zakres | wc -m` = 2 ] ; then # $IPT -t nat -A PREROUTING -i $IF_INET -p tcp --dport 5$zakres\00:5$zakres\99 -j DNAT --to $SIEC.$ip # $IPT -t nat -A PREROUTING -i $IF_INET -p udp --dport 5$zakres\00:5$zakres\99 -j DNAT --to $SIEC.$ip # fi #done #for ip in $USER ; do # zakres=$ip # if [ `echo -n $zakres | wc -m` = 1 ] ; then # zakres=0$ip # fi # # if [ `echo -n $zakres | wc -m` = 2 ] ; then # $IPT -t nat -A PREROUTING -i $IF_INET -p tcp --dport 5$zakres\00:5$zakres\99 -j DNAT --to $SIEC.$ip # $IPT -t nat -A PREROUTING -i $IF_INET -p udp --dport 5$zakres\00:5$zakres\99 -j DNAT --to $SIEC.$ip # fi #done $IPT -t nat -A PREROUTING -i $IF_INET -p tcp --dport 60105 -j DNAT --to-destination 192.168.97.105:3389 $IPT -t nat -A PREROUTING -i $IF_INET -p tcp --dport 60106 -j DNAT --to-destination 192.168.97.105:60106 $IPT -t nat -A PREROUTING -i $IF_INET -p tcp --dport 60126:60156 -j DNAT --to-destination 192.168.97.126 $IPT -t nat -A PREROUTING -i $IF_INET -p tcp --dport 60157:60167 -j DNAT --to-destination 192.168.97.141 # Tunele #$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPT -A INPUT -i tun+ -j ACCEPT #$IPT -A FORWARD -i tun+ -j ACCEPT #$IPT -A FORWARD -o tun+ -j ACCEPT # Spamerzy $IPT -A FORWARD -p tcp --dport 25 -s 192.168.97.159 -j DROP $IPT -A FORWARD -p tcp --dport 25 -s 192.168.97.111 -j DROP echo "Blokada i przekierowanie na "$SERWER":81 dla: "$BLOKADA for i in $BLOKADA ; do $IPT -t nat -I PREROUTING -i eth1 -s 192.168.97.$i -d ! 192.168.97.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.97.1:81 $IPT -t filter -D FORWARD -s $SIEC.$i -d 0/0 -j ACCEPT $IPT -t filter -D FORWARD -s 0/0 -d $SIEC.$i -j ACCEPT done # www.dg-net.pl $IPT -t nat -I PREROUTING -i eth1 -d 212.85.96.95 -p tcp --dport 80 -j ACCEPT $IPT -A FORWARD -d 212.85.96.95 -j ACCEPT $IPT -A FORWARD -s 212.85.96.95 -j ACCEPT # Nieautoryzowani for i in `seq 50 80` ; do $IPT -t nat -A PREROUTING -i eth1 -s 192.168.97.$i -d ! 192.168.97.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.97.1:81 done