* Test script for P2P
@ 2003-06-06 4:16 Dr Aldo Medina
0 siblings, 0 replies; 2+ messages in thread
From: Dr Aldo Medina @ 2003-06-06 4:16 UTC (permalink / raw)
To: netfilter
Based in wshaper:
#!/bin/bash
# MLDonkey Wondershaper
# In kilobits
DOWNLINK=256
UPLINK=128
DEV=ppp0
QLEN=30 #Default 3
RQ=1 #Default 10
BURST=30 #Default 6
CLASS12="http/tcp/both pop3/tcp/dport pop3s/tcp/dport https/tcp/dport
8080/tcp/b
oth nntp/tcp/both"
case "$1" in
start)
IPTCMD="iptables -A WSHAPER -t mangle -p"
tc disc del dev $DEV root 2> /dev/null > /dev/null
tc disc del dev $DEV ingress 2> /dev/null > /dev/null
tc disc del dev imq0 root 2> /dev/null > /dev/null
iptables -t mangle -D POSTROUTING -o $DEV -j WSHAPER 2> /dev/null
\
> /dev/null
ip link set dev $DEV qlen $QLEN
tc qdisc add dev $DEV root handle 1: htb r2q $RQ default 13
tc class add dev $DEV parent 1: classid 1:1 htb rate
$[$UPLINK-2]kbit \
ceil $[$UPLINK-2]kbit burst ${BURST}k
tc class add dev $DEV parent 1:1 classid 1:10 htb rate \
$[(($UPLINK-2)*17)/100]kbit ceil $[$UPLINK-2]kbit prio 2
tc class add dev $DEV parent 1:1 classid 1:11 htb rate \
$[(($UPLINK-2)*40)/100]kbit ceil $[$UPLINK-2]kbit prio 0
tc class add dev $DEV parent 1:1 classid 1:12 htb rate \
$[(($UPLINK-2)*40)/100]kbit ceil $[$UPLINK-2]kbit prio 1
tc class add dev $DEV parent 1:1 classid 1:13 htb rate \
1kbit ceil $[$UPLINK-2]kbit prio 3
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:11 handle 11: sfq perturb 10
tc qdisc add dev $DEV parent 1:12 handle 12: sfq perturb 10
tc qdisc add dev $DEV parent 1:13 handle 13: sfq perturb 10
tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 10 \
fw flowid 1:10
tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 11 \
fw flowid 1:11
tc filter add dev $DEV parent 1:0 prio 2 protocol ip handle 12 \
fw flowid 1:12
tc filter add dev $DEV parent 1:0 prio 3 protocol ip handle 13 \
fw flowid 1:13
iptables -t mangle -N WSHAPER
iptables -t mangle -I POSTROUTING -o $DEV -j WSHAPER
# Class 10
$IPTCMD tcp -m length --length :64 -j MARK --set-mark 10 ## ACKs
# $IPTCMD tcp -p tcp --tcp-flags ACK -j MARK --set-mark 10
# Class 11
$IPTCMD tcp --dport ssh -j MARK --set-mark 11 ## SSH
$IPTCMD tcp --sport ssh -j MARK --set-mark 11
$IPTCMD icmp -j MARK --set-mark 11 ## ICMP
$IPTCMD udp --dport domain -j MARK --set-mark 11 ## DNS
$IPTCMD all --source 192.168.0.2 -j MARK --set-mark 11 ##
linuxclient
$IPTCMD all --destination 192.168.0.2 -j MARK --set-mark 11
$IPTCMD all --source 192.168.0.3 -j MARK --set-mark 11 ##
linuxlaptop
$IPTCMD all --destination 192.168.0.3 -j MARK --set-mark 11
$IPTCMD all --source 192.168.0.4 -j MARK --set-mark 11 ##
compaqlaptop
$IPTCMD all --destination 192.168.0.4 -j MARK --set-mark 11
# Class 12
for PORTPROTODEST in $CLASS12 ; do
PORT=`echo $PORTPROTODEST | awk -F/ '{print $1}'`
PROTO=`echo $PORTPROTODEST | awk -F/ '{print $2}'`
DEST=`echo $PORTPROTODEST | awk -F/ '{print $3}'`
if [ "$PROTO" = "both" ]; then
if [ "$DEST" = "both" ]; then
$IPTCMD tcp --dport $PORT -j MARK --set-mark 12
$IPTCMD udp --sport $PORT -j MARK --set-mark 12
$IPTCMD tcp --sport $PORT -j MARK --set-mark 12
$IPTCMD udp --dport $PORT -j MARK --set-mark 12
else
$IPTCMD tcp --$DEST $PORT -j MARK --set-mark 12
$IPTCMD udp --$DEST $PORT -j MARK --set-mark 12
fi
else
if [ "$DEST" = "both" ]; then
$IPTCMD $PROTO --dport $PORT -j MARK --set-mark 12
$IPTCMD $PROTO --sport $PORT -j MARK --set-mark 12
else
$IPTCMD $PROTO --$DEST $PORT -j MARK --set-mark 12
fi
fi
done
# Class 13 default
$IPTCMD udp --sport 4660:4670 -j MARK --set-mark 13
$IPTCMD udp --dport 4660:4670 -j MARK --set-mark 13
$IPTCMD tcp --sport 4660:4670 -j MARK --set-mark 13
$IPTCMD tcp --dport 4660:4670 -j MARK --set-mark 13
$IPTCMD udp --dport 8948 -j MARK --set-mark 13
$IPTCMD tcp --dport 8948 -j MARK --set-mark 13
$IPTCMD udp --sport 8948 -j MARK --set-mark 13
$IPTCMD tcp --sport 8948 -j MARK --set-mark 13
tc qdisc add dev imq0 handle 1: root htb default 1
tc class add dev imq0 parent 1: classid 1:1 htb rate $[DOWNLINK-2]kbit
tc qdisc add dev imq0 parent 1:1 handle 10: htb default 5
tc class add dev imq0 parent 10: classid 10:1 htb \
rate $[((DOWNLINK-2)*10)/100]kbit ceil $[DOWNLINK-2]kbit burst 30k
prio 1
tc class add dev imq0 parent 10: classid 10:2 htb \
rate $[((DOWNLINK-2)*70)/100]kbit ceil $[DOWNLINK-2]kbit burst 30k
prio 2
tc class add dev imq0 parent 10: classid 10:5 htb \
rate $[((DOWNLINK-2)*20)/100]kbit ceil $[DOWNLINK-2]kbit prio 3
tc qdisc add dev imq0 parent 10:1 handle 21:0 pfifo
tc qdisc add dev imq0 parent 10:2 handle 22:0 sfq
tc qdisc add dev imq0 parent 10:5 handle 23:0 sfq
tc filter add dev imq0 protocol ip pref 1 parent 10: handle 1 fw classid
10:1
tc filter add dev imq0 protocol ip pref 2 parent 10: handle 2 fw classid
10:2
iptables -t mangle -A PREROUTING -i $DEV -j IMQ
iptables -t mangle -A PREROUTING -i $DEV -p tcp -m tos --tos
minimize-delay -m s
tate --state ESTABLISHED -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i $DEV -p tcp -m length --length :64
-j MARK -
-set-mark 1
iptables -t mangle -A PREROUTING -i $DEV -p tcp --dport 22 -m state
--state EST
ABLISHED -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i $DEV -p tcp --sport 80 --dport 1024:
-m stat
e --state ESTABLISHED -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i $DEV -p tcp --dport 80 --sport 1024:
-m stat
e --state ESTABLISHED -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i $DEV -p tcp --sport 443 --dport
1024: -m sta
te --state ESTABLISHED -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i $DEV -p tcp --sport pop3 -m state
--state ES
TABLISHED -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i $DEV -p udp --sport domain -j MARK
--set-mar
k 2
iptables -t mangle -A PREROUTING -i $DEV -p icmp -j MARK --set-mark 2
ip link set imq0 up
echo "wshaper started"
;;
stop)
iptables -t mangle -D POSTROUTING -o $DEV -j WSHAPER 2> /dev/null
\
> /dev/null
iptables -t mangle -D PREROUTING -i $DEV -j WSHAPER 2> /dev/null \
> /dev/null
iptables -t mangle -D PREROUTING -i $DEV -j IMQ 2> /dev/null \
> /dev/null
iptables -t mangle -F PREROUTING 2> /dev/null >/dev/null
iptables -t mangle -F WSHAPER 2> /dev/null > /dev/null
iptables -t mangle -X WSHAPER 2> /dev/null > /dev/null
tc qdisc del dev $DEV root 2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
tc qdisc del dev imq0 root 2> /dev/null > /dev/null
echo "wshaper stopped"
;;
restart)
$0 stop
$0 start
;;
status)
# print anything interesting
echo "[qdisc]"
tc -s qdisc show dev $DEV
echo "[class]"
tc -s class show dev $DEV
echo "[iptables]"
iptables -t mangle -L WSHAPER -xnv
echo "[imq]"
tc -s qdisc show dev imq0
tc -s class show dev imq0
exit
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
;;
esac
Any opinions? I'm particularly interested in the values for variables
QLEN, RQ and BURST.
^ permalink raw reply [flat|nested] 2+ messages in thread* Test script for P2P
@ 2003-05-21 17:17 Dr Aldo Medina
0 siblings, 0 replies; 2+ messages in thread
From: Dr Aldo Medina @ 2003-05-21 17:17 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 224 bytes --]
This is my last test script for P2P. Its a modified wondershaper and P2P
script. It runs in a local firewall, preserving external ssh access, and
internal internet use, while limiting P2P. Could anybody please comment
it?
[-- Attachment #2: wshaper --]
[-- Type: text/x-sh, Size: 7059 bytes --]
#!/bin/bash
# MLDonkey Wondershaper
# In kilobits
DOWNLINK=180
UPLINK=90
DEV=ppp0
QLEN=30 #Default 3
RQ=1 #Default 10
BURST=30 #Default 6
CLASS12="http/tcp/both pop3/tcp/dport pop3s/tcp/dport https/tcp/dport 8080/tcp/both nntp/tcp/both"
case "$1" in
start)
IPTCMD="iptables -A WSHAPER -t mangle -p"
tc disc del dev $DEV root 2> /dev/null > /dev/null
tc disc del dev $DEV ingress 2> /dev/null > /dev/null
tc disc del dev imq0 root 2> /dev/null > /dev/null
iptables -t mangle -D POSTROUTING -o $DEV -j WSHAPER 2> /dev/null \
> /dev/null
ip link set dev $DEV qlen $QLEN
tc qdisc add dev $DEV root handle 1: htb r2q $RQ default 13
tc class add dev $DEV parent 1: classid 1:1 htb rate $[$UPLINK-2]kbit \
ceil $[$UPLINK-2]kbit burst ${BURST}k
tc class add dev $DEV parent 1:1 classid 1:10 htb rate \
$[(($UPLINK-2)*17)/100]kbit ceil $[$UPLINK-2]kbit prio 2
tc class add dev $DEV parent 1:1 classid 1:11 htb rate \
$[(($UPLINK-2)*40)/100]kbit ceil $[$UPLINK-2]kbit prio 0
tc class add dev $DEV parent 1:1 classid 1:12 htb rate \
$[(($UPLINK-2)*40)/100]kbit ceil $[$UPLINK-2]kbit prio 1
tc class add dev $DEV parent 1:1 classid 1:13 htb rate \
1kbit ceil $[$UPLINK-2]kbit prio 3
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:11 handle 11: sfq perturb 10
tc qdisc add dev $DEV parent 1:12 handle 12: sfq perturb 10
tc qdisc add dev $DEV parent 1:13 handle 13: sfq perturb 10
tc filter add dev $DEV parent 1:0 prio 0 protocol ip handle 10 \
fw flowid 1:10
tc filter add dev $DEV parent 1:0 prio 1 protocol ip handle 11 \
fw flowid 1:11
tc filter add dev $DEV parent 1:0 prio 2 protocol ip handle 12 \
fw flowid 1:12
tc filter add dev $DEV parent 1:0 prio 3 protocol ip handle 13 \
fw flowid 1:13
iptables -t mangle -N WSHAPER
iptables -t mangle -I POSTROUTING -o $DEV -j WSHAPER
# Class 10
$IPTCMD tcp -m length --length :64 -j MARK --set-mark 10 ## ACKs
# $IPTCMD tcp -p tcp --tcp-flags ACK -j MARK --set-mark 10
# Class 11
$IPTCMD tcp --dport ssh -j MARK --set-mark 11 ## SSH
$IPTCMD tcp --sport ssh -j MARK --set-mark 11
$IPTCMD icmp -j MARK --set-mark 11 ## ICMP
$IPTCMD udp --dport domain -j MARK --set-mark 11 ## DNS
$IPTCMD all --source 192.168.0.2 -j MARK --set-mark 11 ## linuxclient
$IPTCMD all --destination 192.168.0.2 -j MARK --set-mark 11
$IPTCMD all --source 192.168.0.3 -j MARK --set-mark 11 ## linuxlaptop
$IPTCMD all --destination 192.168.0.3 -j MARK --set-mark 11
$IPTCMD all --source 192.168.0.4 -j MARK --set-mark 11 ## compaqlaptop
$IPTCMD all --destination 192.168.0.4 -j MARK --set-mark 11
# Class 12
for PORTPROTODEST in $CLASS12 ; do
PORT=`echo $PORTPROTODEST | awk -F/ '{print $1}'`
PROTO=`echo $PORTPROTODEST | awk -F/ '{print $2}'`
DEST=`echo $PORTPROTODEST | awk -F/ '{print $3}'`
if [ "$PROTO" = "both" ]; then
if [ "$DEST" = "both" ]; then
$IPTCMD tcp --dport $PORT -j MARK --set-mark 12
$IPTCMD udp --sport $PORT -j MARK --set-mark 12
$IPTCMD tcp --sport $PORT -j MARK --set-mark 12
$IPTCMD udp --dport $PORT -j MARK --set-mark 12
else
$IPTCMD tcp --$DEST $PORT -j MARK --set-mark 12
$IPTCMD udp --$DEST $PORT -j MARK --set-mark 12
fi
else
if [ "$DEST" = "both" ]; then
$IPTCMD $PROTO --dport $PORT -j MARK --set-mark 12
$IPTCMD $PROTO --sport $PORT -j MARK --set-mark 12
else
$IPTCMD $PROTO --$DEST $PORT -j MARK --set-mark 12
fi
fi
done
# Class 13 default
$IPTCMD udp --sport 4660:4670 -j MARK --set-mark 13
$IPTCMD udp --dport 4660:4670 -j MARK --set-mark 13
$IPTCMD tcp --sport 4660:4670 -j MARK --set-mark 13
$IPTCMD tcp --dport 4660:4670 -j MARK --set-mark 13
$IPTCMD udp --dport 8948 -j MARK --set-mark 13
$IPTCMD tcp --dport 8948 -j MARK --set-mark 13
$IPTCMD udp --sport 8948 -j MARK --set-mark 13
$IPTCMD tcp --sport 8948 -j MARK --set-mark 13
tc qdisc add dev imq0 handle 1: root htb default 1
tc class add dev imq0 parent 1: classid 1:1 htb rate $[DOWNLINK-2]kbit
tc qdisc add dev imq0 parent 1:1 handle 10: htb default 5
tc class add dev imq0 parent 10: classid 10:1 htb \
rate $[((DOWNLINK-2)*10)/100]kbit ceil $[DOWNLINK-2]kbit burst 30k prio 1
tc class add dev imq0 parent 10: classid 10:2 htb \
rate $[((DOWNLINK-2)*70)/100]kbit ceil $[DOWNLINK-2]kbit burst 30k prio 2
tc class add dev imq0 parent 10: classid 10:5 htb \
rate $[((DOWNLINK-2)*20)/100]kbit ceil $[DOWNLINK-2]kbit prio 3
tc qdisc add dev imq0 parent 10:1 handle 21:0 pfifo
tc qdisc add dev imq0 parent 10:2 handle 22:0 sfq
tc qdisc add dev imq0 parent 10:5 handle 23:0 sfq
tc filter add dev imq0 protocol ip pref 1 parent 10: handle 1 fw classid 10:1
tc filter add dev imq0 protocol ip pref 2 parent 10: handle 2 fw classid 10:2
iptables -t mangle -A PREROUTING -i $DEV -j IMQ
iptables -t mangle -A PREROUTING -i $DEV -p tcp -m tos --tos minimize-delay -m state --state ESTABLISHED -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i $DEV -p tcp -m length --length :64 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i $DEV -p tcp --dport 22 -m state --state ESTABLISHED -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i $DEV -p tcp --sport 80 --dport 1024: -m state --state ESTABLISHED -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i $DEV -p udp --sport domain -j MARK --set-mark 2
ip link set imq0 up
echo "wshaper started"
;;
stop)
iptables -t mangle -D POSTROUTING -o $DEV -j WSHAPER 2> /dev/null \
> /dev/null
iptables -t mangle -D PREROUTING -i $DEV -j WSHAPER 2> /dev/null \
> /dev/null
iptables -t mangle -D PREROUTING -i $DEV -j IMQ 2> /dev/null \
> /dev/null
iptables -t mangle -F PREROUTING 2> /dev/null >/dev/null
iptables -t mangle -F WSHAPER 2> /dev/null > /dev/null
iptables -t mangle -X WSHAPER 2> /dev/null > /dev/null
tc qdisc del dev $DEV root 2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null
tc qdisc del dev imq0 root 2> /dev/null > /dev/null
echo "wshaper stopped"
;;
restart)
$0 stop
$0 start
;;
status)
# print anything interesting
echo "[qdisc]"
tc -s qdisc show dev $DEV
echo "[class]"
tc -s class show dev $DEV
echo "[iptables]"
iptables -t mangle -L WSHAPER -xnv
echo "[imq]"
tc -s qdisc show dev imq0
tc -s class show dev imq0
exit
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
;;
esac
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-06-06 4:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-06 4:16 Test script for P2P Dr Aldo Medina
-- strict thread matches above, loose matches on Subject: below --
2003-05-21 17:17 Dr Aldo Medina
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.