#!/bin/sh # # Delete qdiscs on incoming and outgoing interfaces to prevent errors tc qdisc del dev eth0 root tc qdisc del dev eth1 root # Set CEIL for traffic from the wan to the lan (DOWNLOADING from a client on the lan perspective) CEIL=7000 # Set CEIL2 for traffic from the lan to the wan (UPLOADING from a client on the lan perspective) CEIL2=700 # The rate is the amount a marked class is allowed, but they may borrow as availble up to CEIL # The rates must add up to less the the ceil or this breaks in strange ways tc qdisc add dev eth0 root handle 1: htb default 12 tc class add dev eth0 parent 1: classid 1:1 htb rate ${CEIL}kbit ceil ${CEIL}kbit tc class add dev eth0 parent 1:1 classid 1:10 htb rate 200kbit ceil ${CEIL}kbit prio 1 tc class add dev eth0 parent 1:1 classid 1:11 htb rate 800kbit ceil ${CEIL}kbit prio 2 tc class add dev eth0 parent 1:1 classid 1:12 htb rate 3000kbit ceil ${CEIL}kbit prio 3 # # add sfq for fairness # tc qdisc add dev eth0 parent 1:10 handle 120: sfq perturb 10 tc qdisc add dev eth0 parent 1:11 handle 130: sfq perturb 10 tc qdisc add dev eth0 parent 1:12 handle 140: sfq perturb 10 # tc qdisc add dev eth1 root handle 1: htb default 12 tc class add dev eth1 parent 1: classid 1:1 htb rate ${CEIL2}kbit ceil ${CEIL2}kbit tc class add dev eth1 parent 1:1 classid 1:10 htb rate 150kbit ceil ${CEIL2}kbit prio 1 tc class add dev eth1 parent 1:1 classid 1:11 htb rate 250kbit ceil ${CEIL2}kbit prio 2 tc class add dev eth1 parent 1:1 classid 1:12 htb rate 300kbit ceil ${CEIL2}kbit prio 3 # # add sfq for fairness # tc qdisc add dev eth1 parent 1:10 handle 120: sfq perturb 10 tc qdisc add dev eth1 parent 1:11 handle 130: sfq perturb 10 tc qdisc add dev eth1 parent 1:12 handle 140: sfq perturb 10 # # add tc rules to allow iptables "marking" to select packet class # tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev eth1 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11 tc filter add dev eth1 parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12 tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:10 tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:11 tc filter add dev eth0 parent 1:0 protocol ip prio 3 handle 3 fw classid 1:12 ## ## ## ## put Vonage VOIP / New syn flag only tcp connections into prio1 /classid 1:10 iptables -t mangle -A PREROUTING -p udp --dport 5061 -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p udp --dport 5061 -j RETURN iptables -t mangle -A PREROUTING -p udp --sport 5061 -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p udp --sport 5061 -j RETURN iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN ## put ssh and ipsec traffic into prio2 /classis 1:11 iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 0x2 iptables -t mangle -A PREROUTING -p tcp --dport 22 -j RETURN iptables -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 0x2 iptables -t mangle -A PREROUTING -p tcp --sport 22 -j RETURN iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark 0x2 iptables -t mangle -A OUTPUT -p tcp --sport 22 -j RETURN iptables -t mangle -A OUTPUT -j MARK --set-mark 0x3 iptables -t mangle -A OUTPUT -j RETURN iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 0x2 iptables -t mangle -A PREROUTING -p 50 -j RETURN iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x2 iptables -t mangle -A PREROUTING -p icmp -j RETURN iptables -t mangle -A PREROUTING -p udp --dport 500 -j MARK --set-mark 0x2 iptables -t mangle -A PREROUTING -p udp --dport 500 -j RETURN iptables -t mangle -A PREROUTING -p udp --dport 4500 -j MARK --set-mark 0x2 iptables -t mangle -A PREROUTING -p udp --dport 4500 -j RETURN iptables -t mangle -A PREROUTING -p udp --sport 500 -j MARK --set-mark 0x2 iptables -t mangle -A PREROUTING -p udp --sport 500 -j RETURN iptables -t mangle -A PREROUTING -p udp --sport 4500 -j MARK --set-mark 0x2 iptables -t mangle -A PREROUTING -p udp --sport 4500 -j RETURN ## everything else falls into prio3 / classid 1:12 this is the default, but it is nice to have iptables counters iptables -t mangle -A PREROUTING -j MARK --set-mark 0x3 iptables -t mangle -A PREROUTING -j RETURN