I have tried following the howto here: http://gentoo-wiki.com/HOWTO_Packet_ShapingBut it doesn't work. First of all it ends up limiting both upload AND download. I have tried a few different ways with all the same result. Anyone know what is wrong here?
Here is my firewall file: Code: #!/bin/bash ############################################################################## Explaination of iptables for clarity #
##############################################################################filter -> table used to implement the firewall # #nat -> table used to implement IP masquerading (=internet sharing) # #mangle -> table used for specialized packet alteration # # # # | tables | chains | explaination # #-+-----------+---------------+------------------------------------ # # | | | # # | _/-- INPUT --------- for traffic coming into your box # # | filter <_--- OUTPUT -------- for traffic going out of your box # # | \-- FORWARD ------- for packets being routed through the box (= packets that aren't meant for you) # | | | # # | _/-- PREROUTING ---- for altering traffic as soon as it comes in # | nat ---<_--- POSTROUTING --- for altering traffic locally-generated packages before routing # | \-- OUTPUT -------- for altering traffic as it's about to go out # | | | # # | | | # # | mangle < # # | | # # | | #
#############################################################################
# Options for new rules (-A rules)
# -----------------------------------
# -p -> protocol (tcp, udp, icmp, or all)
# -s -> source
# -d -> destination
# -j -> target of the rule (where to send it)
# -i -> in interface (only for INPUT, FORWARD and PREROUTING chains)
# -o -> out interface (only for FORWARD, OUTPUT and POSTROUTING chains)
#
#
#
## Variables applying to the system
IPTABLES='/sbin/iptables'
# external interface
EXTIF='eth0'
# internal interface
INTIF='eth1'
TORRENT_CLIENT_PORT='65123'
### Modules needed, just add one per line.
MODULES="ip_tables
iptable_nat
ip_nat_ftp
ip_conntrack_ftp"
for i in $MODULES;
do
echo "Inserting module $i"
modprobe $i
done
# Flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
# Set the default policies for the chains
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
### Set up the firewall rules
# Allow all connections established by me (because default is to drop)
$IPTABLES -t filter -A INPUT -i lo -j ACCEPT
# Allow anything from the lan to this box
$IPTABLES -t filter -A INPUT -i $INTIF -j ACCEPT
# Allow anything from outside in if connection is already established
$IPTABLES -t filter -A INPUT -i $EXTIF -m state --state
RELATED,ESTABLISHED -j ACCEPT
# Allow the following services in from the wild $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport ssh -j ACCEPT $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT # allow ftp on special port $IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 6543:6599 -j ACCEPT $IPTABLES -t filter -A INPUT -i $EXTIF -p udp --dport 6543:6599 -j ACCEPT #$IPTABLES -t filter -A INPUT -i $EXTIF -p tcp --dport 20 -j ACCEPT #$IPTABLES -t filter -A INPUT -i $EXTIF -p udp --dport 20 -j ACCEPT ## Prioritizing packets for shaping MARKPRIO1="1" MARKPRIO2="2" MARKPRIO3="3" MARKPRIO4="4" # Setting priority marks # Prio 1 # icmp iptables -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1 iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1 # sshiptables -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO1 # non tcp iptables -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO1 iptables -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO1 # Prio 2 # Prio 3 # httpiptables -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3 # httpsiptables -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3 iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark $MARKPRIO3
# smtpiptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3 # Prio 4 # packets > 1024 bytesiptables -t mangle -A FORWARD -p tcp -m length --length 1024: -j MARK --set-mark $MARKPRIO4
# bittorrentiptables -t mangle -A FORWARD -i eth0 -p tcp --sport 1025:65535 -j MARK --set-mark $MARKPRIO4 iptables -t mangle -A FORWARD -i eth0 -p tcp --dport 1025:65535 -j MARK --set-mark $MARKPRIO4
# Remaining packets are marked according to TOSiptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Delay -m mark --mark 0 -j MARK --set-mark $MARKPRIO1 iptables -t mangle -A FORWARD -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark $MARKPRIO2 iptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Cost -m mark --mark 0 -j MARK --set-mark $MARKPRIO4
## To work around comcast torrent block#iptables -A INPUT -p tcp â??dport $TORRENT_CLIENT_PORT â??tcp-flags RST RST -j DROP
##END torrent block ### create custom chains #$IPTABLES -N private-internet #$IPTABLES -N internet-private #$IPTABLES -N icmp_accept # Create a special log and drop chain $IPTABLES -N log_drop $IPTABLES -A log_drop -j LOG --log-prefix "DROP---> " $IPTABLES -A log_drop -j DROP # log and reject chain $IPTABLES -N log_reject $IPTABLES -A log_reject -j LOG --log-prefix "REJECT---> " $IPTABLES -A log_reject -j REJECT # log and drop test for new rules $IPTABLES -N log_drop_test $IPTABLES -A log_drop_test -j LOG --log-prefix "TEST-DROP---> " $IPTABLES -A log_drop_test -j DROP ### Special forwarding for internal servers and certain programs ## lain forwards (192.168.2.22) # quake 3 on lain#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 27960 -j DNAT --to 192.168.2.22:27960 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 27960 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 27961 -j DNAT --to 192.168.2.22:27961 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 27961 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 27960 -j DNAT --to 192.168.2.22:27960 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 27960 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 27961 -j DNAT --to 192.168.2.22:27961 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 27961 -j ACCEPT
# Descent 3 on lain#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 2092 -j DNAT --to 192.168.2.22:2092 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 2092 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 2093 -j DNAT --to 192.168.2.22:2093 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 2093 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 2092 -j DNAT --to 192.168.2.22:2092 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 2092 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 2093 -j DNAT --to 192.168.2.22:2093 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 2093 -j ACCEPT
# azureus on laptop$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 65124 -j DNAT --to 192.168.2.22:65124 $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 65124 -j DNAT --to 192.168.2.22:65124 $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 65124 -j ACCEPT $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 65124 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34625 -j DNAT --to 192.168.2.22:34625 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 34625 -j ACCEPT
# azureus to lain - 192.168.1.22$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 65123 -j DNAT --to 192.168.2.23:65123 $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 65123 -j DNAT --to 192.168.2.23:65123 $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.23 --dport 65123 -j ACCEPT $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.23 --dport 65123 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34625 -j DNAT --to 192.168.2.23:34625 $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.23 --dport 34625 -j ACCEPT
# gtk-gnutella to laptop$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 34064 -j DNAT --to 192.168.2.22:34064 $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34064 -j DNAT --to 192.168.2.22:34064 $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 34064 -j ACCEPT $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 34064 -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 34065 -j DNAT --to 192.168.2.23:34065 $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 34065 -j DNAT --to 192.168.2.23:34065 $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.23 --dport 34065 -j ACCEPT $IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.23 --dport 34065 -j ACCEPT
# VNC to lain#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 5900 -j DNAT --to 192.168.2.28:5900 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.28 --dport 5900 -j ACCEPT
# rdesktop to lain#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3389 -j DNAT --to 192.168.2.22:3389 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 3389 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 3389 -j DNAT --to 192.168.2.22:3389 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.22 --dport 3389 -j ACCEPT
##nyuu forwards (192.168.2.28) # Descent 3 server to nyuu (192.168.2.28) # trackers#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 22999 -j DNAT --to 192.168.2.28:22999 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.28 --dport 22999 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 27900 -j DNAT --to 192.168.2.28:27900 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.28 --dport 27900 -j ACCEPT
# d3 game servers#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 2111:2119 -j DNAT --to 192.168.2.28:2111-2119 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.28 --dport 2111:2119 -j ACCEPT #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 2111:2119 -j DNAT --to 192.168.2.28:2111-2119 #$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.28 --dport 2111:2119 -j ACCEPT
# nyuu: vnc incoming#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 5910 -j DNAT --to 192.168.2.28:5910 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.28 --dport 5910 -j ACCEPT
# # ftp to proliant#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 21 -j DNAT --to 192.168.2.26:21
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.26 --dport 21 -j ACCEPT#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 20 -j DNAT --to 192.168.2.26:20
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.26 --dport 20 -j ACCEPT#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 21 -j DNAT --to 192.168.2.22:21
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 21 -j ACCEPT#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 20 -j DNAT --to 192.168.2.22:20
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.22 --dport 20 -j ACCEPT # palantir on MythTV box#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3000 -j DNAT --to 192.168.2.24:3000 #$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.24 --dport 3000 -j ACCEPT
# mythweb (apache server) on MythTV box$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8080 -j DNAT --to 192.168.2.24:8080
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.2.24 --dport 8080 -j ACCEPT$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 8080 -j DNAT --to 192.168.2.24:8080
$IPTABLES -A FORWARD -p udp -i $EXTIF -d 192.168.2.24 --dport 8080 -j ACCEPT ### Set up the ip forwarding $IPTABLES -t filter -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT$IPTABLES -t filter -A FORWARD -i $EXTIF -o $INTIF -m state --state RELATED,ESTABLISHED -j ACCEPT
### Set up ip masquerading # Allow the internal boxes onto the Internet $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE ## enable ip forwarding in the kernel echo 1 > /proc/sys/net/ipv4/ip_forward And here is the script that sets up the traffic shaping Code: #clear it out first tc qdisc del dev eth0 root ## #Constants # Interface you want to do shaping on # eth2, eth1 for direct connection; ppp0 or so for dsl # and other dialup connections (check ifconfig) IFACE=eth0 # Priority marks MARKPRIO1="1" MARKPRIO2="2" MARKPRIO3="3" MARKPRIO4="4" # Rates UPRATE="152kbit" #P2PRATE=$UPRATE P2PRATE="128kbit" PRIORATE1="65kbit" PRIORATE2="46kbit" PRIORATE3="27kbit" PRIORATE4="8kbit" # Quantum QUANTUM1="12187" QUANTUM2="8625" QUANTUM3="5062" QUANTUM4="1500" # Burst BURST1="6k" BURST2="4k" BURST3="2k" BURST4="0k" CBURST1="3k" CBURST2="2k" CBURST3="1k" CBURST4="0k" # Set queue length for IFACE ifconfig $IFACE txqueuelen 16 # Specify queue discipline tc qdisc add dev $IFACE root handle 1:0 htb default 103 r2q 1 # Set root classtc class add dev $IFACE parent 1:0 classid 1:1 htb rate $UPRATE burst $BURST1 cburst $CBURST1
# Specify sub classestc class add dev $IFACE parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil $UPRATE quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 0 tc class add dev $IFACE parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil $UPRATE quantum $QUANTUM2 burst $BURST2 cburst $CBURST2 prio 1 tc class add dev $IFACE parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil $UPRATE quantum $QUANTUM3 burst $BURST3 cburst $CBURST3 prio 2 tc class add dev $IFACE parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil $P2PRATE quantum $QUANTUM4 burst $BURST4 cburst $CBURST4 prio 3
# Filter packetstc filter add dev $IFACE parent 1:0 protocol ip prio 0 handle $MARKPRIO1 fw classid 1:101 tc filter add dev $IFACE parent 1:0 protocol ip prio 1 handle $MARKPRIO2 fw classid 1:102 tc filter add dev $IFACE parent 1:0 protocol ip prio 2 handle $MARKPRIO3 fw classid 1:103 tc filter add dev $IFACE parent 1:0 protocol ip prio 3 handle $MARKPRIO4 fw classid 1:104
# Add queuing disciplines tc qdisc add dev $IFACE parent 1:101 sfq perturb 16 quantum $QUANTUM1 tc qdisc add dev $IFACE parent 1:102 sfq perturb 16 quantum $QUANTUM2 tc qdisc add dev $IFACE parent 1:103 sfq perturb 16 quantum $QUANTUM3 tc qdisc add dev $IFACE parent 1:104 sfq perturb 16 quantum $QUANTUM4
firewall.sh
Description: application/shellscript
shaping2.sh
Description: application/shellscript
