0,0 → 1,119 |
#!/bin/sh |
# $Id$ |
# script de mise en place des regles du parefeu d'Alcasar (mode QOS) |
# 3abtux - Rexy |
# Non adapté à ALCASAR car valable pour serveurs disposés dans le réseau LAN internet qui n'est pas notre besoin. |
|
# Un peu de config |
TC="/sbin/tc" |
IPTABLES="/sbin/iptables" |
#IPTABLES=`which iptables` |
EXTIF="eth0" |
INTIF="eth1" |
TUNIF="tun0" |
PRIVATE_NETWORK_MASK="192.168.182.0/24" |
PRIVATE_IP="192.168.182.1" |
|
# Vitesse max de la connexion internet en Kbit/s |
MAX_UPLOAD="1000" |
MAX_DOWNLOAD="8000" |
|
FTP="50" |
WEB="100" |
SMTP="40" |
POP="60" |
DEFAULT="100" |
SPEED=$MAX_UPLOAD |
SLOW="10" |
|
BP_MAX=100 |
BP_MIN=10 |
BP_WEB=$WEB*$MAX_UPLOAD/100 |
BP_FTP=$FTP*$MAX_UPLOAD/100 |
BP_POP=$POP*$MAX_UPLOAD/100 |
BP_SMTP=$SMTP*$MAX_UPLOAD/100 |
|
|
################################################ |
# Local protection rules sur SSH prioritaire # |
################################################ |
$IPTABLES -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay |
|
# Netoyage |
$TC qdisc del dev $EXTIF root >/dev/null 2>&1 |
$TC qdisc del dev $EXTIF ingress >/dev/null 2>&1 |
$TC qdisc del dev $TUNIF root >/dev/null 2>&1 |
$TC qdisc del dev $TUNIF ingress >/dev/null 2>&1 |
|
# Création de la classe parent: |
$TC qdisc add dev $EXTIF root handle 1: htb default 20 |
$TC class add dev $EXTIF parent 1: classid 1:1 htb rate ${MAX_UPLOAD}kbit ceil ${MAX_UPLOAD}kbit burst 6k |
|
# Download |
$TC qdisc add dev $TUNIF root handle 2: htb |
$TC class add dev $TUNIF parent 2: classid 2:1 htb rate ${MAX_DOWNLOAD}kbit ceil ${MAX_DOWNLOAD}kbit burst 6k |
|
# Classe Download LIMIT |
$TC class add dev $TUNIF parent 2:1 classid 2:10 htb rate ${MAX_DOWNLOAD}kbit ceil ${MAX_DOWNLOAD}kbit burst 6k prio 9 |
$TC filter add dev $TUNIF parent 2:0 protocol ip prio 9 handle 100 fw flowid 2:10 |
$IPTABLES -t mangle -A FORWARD -d $LAN_1 -j MARK --set-mark 100 |
$IPTABLES -t mangle -A FORWARD -d $LAN_2 -j MARK --set-mark 100 |
$IPTABLES -t mangle -A FORWARD -d $LAN_3 -j MARK --set-mark 100 |
$IPTABLES -t mangle -A FORWARD -d $LAN_4 -j MARK --set-mark 100 |
$IPTABLES -t mangle -A FORWARD -d $LAN_5 -j MARK --set-mark 100 |
|
|
# Classe par défaut |
$TC class add dev ${EXTIF} parent 1:1 classid 1:20 htb rate ${DEFAULT}kbit ceil ${MAX_UPLOAD}kbit burst 6k prio 3 |
|
# Classe rapide |
$TC class add dev ${EXTIF} parent 1:20 classid 1:10 htb rate ${SPEED}kbit ceil ${MAX_UPLOAD}kbit burst 6k prio 1 |
$TC filter add dev ${EXTIF} parent 1:0 protocol ip prio 1 handle 10 fw flowid 1:10 |
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 6667 -j MARK --set-mark 10 |
$IPTABLES -t mangle -A FORWARD -p tcp --dport 6667 -j MARK --set-mark 10 |
$IPTABLES -t mangle -A FORWARD -p tcp --sport 6667 -j MARK --set-mark 10 |
$IPTABLES -t mangle -A FORWARD -p tcp --sport 7000 -j MARK --set-mark 10 |
$IPTABLES -t mangle -A FORWARD -p tcp --sport 6668 -j MARK --set-mark 10 |
$IPTABLES -t mangle -A FORWARD -p tcp --sport 6669 -j MARK --set-mark 10 |
$IPTABLES -t mangle -A FORWARD -p icmp -j MARK --set-mark 10 |
$IPTABLES -t mangle -A OUTPUT -p icmp -j MARK --set-mark 10 |
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 10 |
$IPTABLES -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 10 |
$IPTABLES -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark 10 |
# cs |
$IPTABLES -t mangle -A FORWARD -p udp --sport 27005 -j MARK --set-mark 10 |
|
# Classe LENTE |
$TC class add dev $EXTIF parent 1:1 classid 1:30 htb rate ${SLOW}kbit prio 5 |
$TC filter add dev $EXTIF parent 1:0 protocol ip prio 5 handle 30 fw flowid 1:30 |
#$IPTABLES -t mangle -A FORWARD -p tcp --sport 4662 -j MARK --set-mark 30 |
#$IPTABLES -t mangle -A FORWARD -p udp --sport 4665 -j MARK --set-mark 30 |
#$IPTABLES -t mangle -A FORWARD -p tcp --dport 4662 -j MARK --set-mark 30 |
#$IPTABLES -t mangle -A FORWARD -p udp --dport 4665 -j MARK --set-mark 30 |
|
# Classe WEB |
$TC class add dev $EXTIF parent 1:20 classid 1:21 htb rate ${WEB}kbit prio 2 |
$TC filter add dev $EXTIF parent 1:0 protocol ip prio 2 handle 21 fw flowid 1:21 |
$IPTABLES -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark 21 |
$IPTABLES -t mangle -A FORWARD -p tcp --sport 80 -j MARK --set-mark 21 |
|
# Classe FTP |
$TC class add dev $EXTIF parent 1:20 classid 1:22 htb rate ${FTP}kbit prio 4 |
$TC filter add dev $EXTIF parent 1:0 protocol ip prio 3 handle 22 fw flowid 1:22 |
$IPTABLES -t mangle -A OUTPUT -p tcp --sport 21 -j MARK --set-mark 22 |
$IPTABLES -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set-mark 22 |
|
# Classe SMTP |
$TC class add dev $EXTIF parent 1:20 classid 1:23 htb rate ${SMTP}kbit prio 4 |
$TC filter add dev $EXTIF parent 1:0 protocol ip prio 4 handle 23 fw flowid 1:23 |
$IPTABLES -t mangle -A OUTPUT -p tcp --sport 25 -j MARK --set-mark 23 |
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 23 |
$IPTABLES -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark 23 |
$IPTABLES -t mangle -A FORWARD -p tcp --sport 25 -j MARK --set-mark 23 |
|
$TC class add dev $EXTIF parent 1:20 classid 1:210 htb rate ${POP}kbit prio 4 |
$TC filter add dev $EXTIF parent 1:0 protocol ip prio 4 handle 210 fw flowid 1:210 |
|
$IPTABLES -t mangle -A FORWARD -p tcp --sport 110 -j MARK --set-mark 210 |
|
# End of script |
Property changes: |
Added: svn:eol-style |
+LF |
\ No newline at end of property |
Added: svn:executable |
+* |
\ No newline at end of property |
Added: svn:keywords |
+Id Author Date |
\ No newline at end of property |