# This file is interpreted as shell script.# Put your custom iptables rules he

1. # This file is interpreted as shell script.
2. # Put your custom iptables rules here, they will
3. # be executed with each firewall (re-)start.
4. set -e
5.  
6. # Wait while network will be up
7. sleep 15
8.  
9. # Modules
10. insmod sch_htb > /dev/null 2>&1||true
11. insmod sch_sfq > /dev/null 2>&1||true
12. insmod cls_fw > /dev/null 2>&1||true
13. insmod cls_flow > /dev/null 2>&1||true
14.  
15. # Delete old qdiscs
16. tc qdisc del dev br-lan root > /dev/null 2>&1 ||true
17.  
18. # This one for internal traffic
19. tc qdisc add dev br-lan root handle 1: htb
20. tc class add dev br-lan parent 1: classid 1:1 htb rate 100mbit
21.  
22. # UA-IX
23. tc class add dev br-lan parent 1:1 classid 1:10 htb rate 50mbit ceil 100mbit
24.  
25. # World
26. tc class add dev br-lan parent 1:1 classid 1:20 htb rate 50mbit
27.  
28. # Bunker UA-IX
29. tc class add dev br-lan parent 1:10 classid 1:100 htb rate 10mbit ceil 100mbit
30. # Bunker World
31. tc class add dev br-lan parent 1:20 classid 1:200 htb rate 10mbit ceil 50mbit
32.  
33. # Other UA-IX
34. tc class add dev br-lan parent 1:10 classid 1:110 htb rate 40mbit ceil 100mbit
35. # Other World
36. tc class add dev br-lan parent 1:20 classid 1:210 htb rate 40mbit ceil 50mbit
37.  
38. # SFQ
39. tc qdisc add dev br-lan parent 1:100 handle 100: sfq perturb 10
40. tc qdisc add dev br-lan parent 1:200 handle 200: sfq perturb 10
41. tc qdisc add dev br-lan parent 1:110 handle 110: sfq perturb 10
42. tc qdisc add dev br-lan parent 1:210 handle 210: sfq perturb 10
43.  
44. #===========================================================================
45.  
46. # This one for outgoing traffic
47. # Delete old qdiscs
48. tc qdisc del dev eth1 root > /dev/null 2>&1 ||true
49.  
50. tc qdisc add dev eth1 root handle 4: htb
51. tc class add dev eth1 parent 4: classid 4:1 htb rate 100mbit
52.  
53. # UA-IX
54. tc class add dev eth1 parent 4:1 classid 4:10 htb rate 50mbit ceil 100mbit
55.  
56. # World
57. tc class add dev eth1 parent 4:1 classid 4:20 htb rate 50mbit
58.  
59. # Bunker
60. tc class add dev eth1 parent 4:10 classid 4:100 htb rate 10mbit ceil 100mbit
61. tc class add dev eth1 parent 4:20 classid 4:200 htb rate 10mbit ceil 50mbit
62.  
63. # Other
64. tc class add dev eth1 parent 4:10 classid 4:110 htb rate 40mbit ceil 100mbit
65. tc class add dev eth1 parent 4:20 classid 4:210 htb rate 40mbit ceil 50mbit
66.  
67. # SFQ
68. tc qdisc add dev eth1 parent 4:100 handle 100: sfq perturb 10
69. tc qdisc add dev eth1 parent 4:200 handle 200: sfq perturb 10
70. tc qdisc add dev eth1 parent 4:110 handle 110: sfq perturb 10
71. tc qdisc add dev eth1 parent 4:210 handle 210: sfq perturb 10
72.  
73. tc filter add dev eth1 parent 100: protocol ip handle 100 flow hash keys nfct-src divisor 1024
74. tc filter add dev eth1 parent 110: protocol ip handle 110 flow hash keys nfct-src divisor 1024
75. tc filter add dev eth1 parent 200: protocol ip handle 200 flow hash keys nfct-src divisor 1024
76. tc filter add dev eth1 parent 210: protocol ip handle 210 flow hash keys nfct-src divisor 1024
77.  
78. tc filter add dev br-lan parent 100: protocol ip handle 100 flow hash keys dst divisor 1024
79. tc filter add dev br-lan parent 110: protocol ip handle 110 flow hash keys dst divisor 1024
80. tc filter add dev br-lan parent 200: protocol ip handle 200 flow hash keys dst divisor 1024
81. tc filter add dev br-lan parent 210: protocol ip handle 210 flow hash keys dst divisor 1024
82.  
83. #===========================================================================
84.  
85.  
86. echo "Creating ip hash"
87. ipset -N ua_ix nethash > /dev/null 2>&1 ||true
88.  
89. # Need to remove the link from FORWARD to the CLASSIFICATION chain before
90. # we'll be able to delete the chain
91. LINE_NUM=$(iptables -t mangle -nL FORWARD |sed -n '3,$p' |grep CLASSIFICATION -n |awk -F':' '{print $1}' |head -1)
92. while [ -n "$LINE_NUM" ]; do
93.   iptables -t mangle -D FORWARD "$LINE_NUM"
94.   LINE_NUM=$(iptables -t mangle -nL FORWARD |sed -n '3,$p' |grep CLASSIFICATION -n |awk -F':' '{print $1}' |head -1)
95. done
96.  
97. iptables -t mangle -F CLASSIFICATION ||true
98. iptables -t mangle -X CLASSIFICATION ||true
99. iptables -t mangle -N CLASSIFICATION ||true
100. iptables -t mangle -A FORWARD -j CLASSIFICATION
101.  
102. #
103. # Marking
104. #
105. # Bunker
106. # Outgoing
107. iptables -o eth1 -t mangle -A CLASSIFICATION -m set --src 192.168.1.10 --set ua_ix dst -j CLASSIFY --set-class 4:100
108. iptables -o eth1 -t mangle -A CLASSIFICATION -m set --src 192.168.1.10 ! --set ua_ix dst -j CLASSIFY --set-class 4:200
109.  
110. # Incoming
111. iptables -o br-lan -t mangle -A CLASSIFICATION -m set --dst 192.168.1.10 --set ua_ix src -j CLASSIFY --set-class 1:100
112. iptables -o br-lan -t mangle -A CLASSIFICATION -m set --dst 192.168.1.10 ! --set ua_ix src -j CLASSIFY --set-class 1:200
113.  
114. # Other
115. # Outgoing
116. iptables -o eth1 -t mangle -A CLASSIFICATION -m set ! --src 192.168.1.10 --set ua_ix dst -j CLASSIFY --set-class 4:110
117. iptables -o eth1 -t mangle -A CLASSIFICATION -m set ! --src 192.168.1.10 ! --set ua_ix dst -j CLASSIFY --set-class 4:210
118.  
119. # Incoming
120. iptables -o br-lan -t mangle -A CLASSIFICATION -m set ! --dst 192.168.1.10 --set ua_ix src -j CLASSIFY --set-class 1:110
121. iptables -o br-lan -t mangle -A CLASSIFICATION -m set ! --dst 192.168.1.10 ! --set ua_ix src -j CLASSIFY --set-class 1:210
122.  
123. # Fill the set
124. ((/root/create_ua_ix_ipset)&)&
125.  
126. echo "Done"