Ini adalah configurasi shorewall yang saya gunakan di router, dimana di router, ada squid dan load balancing.
# shorewall version -a
shorewall-core: 4.5.5.3
shorewall: 4.5.5.3
shorewall.conf
STARTUP_ENABLED=Yes
VERBOSITY=1
###############################################################################
# L O G G I N G
###############################################################################
BLACKLIST_LOGLEVEL=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGLIMIT=
MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
###############################################################################
# L O C A T I O N O F F I L E S A N D D I R E C T O R I E S
###############################################################################
CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
TC=
###############################################################################
# D E F A U L T A C T I O N S / M A C R O S
###############################################################################
ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
###############################################################################
# R S H / R C P C O M M A N D S
###############################################################################
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
###############################################################################
# F I R E W A L L O P T I O N S
###############################################################################
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
ADMINISABSENTMINDED=Yes
AUTO_COMMENT=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=On
KEEP_RT_TABLES=No
LEGACY_FASTSTART=Yes
LOAD_HELPERS_ONLY=No
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=No
MODULE_SUFFIX=ko
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=0
OPTIMIZE_ACCOUNTING=Yes
REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No
SAVE_IPSETS=No
TC_ENABLED=Simple
TC_EXPERT=Yes
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
USE_DEFAULT_RT=Yes
USE_PHYSICAL_NAMES=No
ZONE2ZONE=2
###############################################################################
# P A C K E T D I S P O S I T I O N
###############################################################################
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
################################################################################
# P A C K E T M A R K L A Y O U T
################################################################################
TC_BITS=0
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=8
ZONE_BITS=4
################################################################################
# L E G A C Y O P T I O N
# D O N O T D E L E T E O R A L T E R
################################################################################
IPSECFILE=zones
Zones
fw firewall
loc ipv4
net ipv4
interfaces
###############################################################################
FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
loc eth0 -
net eth1 -
net eth2 -
masq
######################################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH
eth1 0.0.0.0/0 192.168.3.30
eth2 0.0.0.0/0 192.168.1.30
providers
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
SPEEDY1 1 1 - eth1 192.168.3.1 loose,track,balance -
SPEEDY2 2 2 - eth2 192.168.1.1 loose,track,balance -
nat
###############################################################################
#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
192.168.3.20 eth1 192.168.10.20 no no
192.168.3.28 eth1 192.168.10.28 no no
192.168.3.29 eth1 192.168.10.29 no no
192.168.3.31 eth1 192.168.10.31 no no
192.168.3.32 eth1 192.168.10.32 no no
192.168.3.15 eth1 192.168.10.15 no no
# cat policy
###############################################################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
#loc net ACCEPT
#loc fw ACCEPT
fw loc ACCEPT
fw net ACCEPT
net all DROP
all all REJECT
# cat rules
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT loc fw icmp 8
ACCEPT loc fw tcp 22,80,53,5353,161
ACCEPT loc fw udp 53,5353,161
#Ip computer yang boleh akses semuanya,
ACCEPT loc:192.168.10.20,192.168.10.28 net - -
#akses router ini dari Ip luar untuk remote
ACCEPT net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16 fw tcp 22,80 -
#reject computer client supaya ndak bisa akses ke ip lan dan public modemnya speedy
REJECT loc net:192.168.1.1 - -
REJECT loc net:[ippublicspeedy] - -
REJECT loc net:192.168.3.1 - -
REJECT loc net:[ippiblicspeedy] - -
#kemudian client accept ke semuanya
ACCEPT loc:192.168.10.1-192.168.10.32 net - -
#dan beberapa aplikasi bisa diakses / diremote dari luar, khusus untuk ip tertentu saja. (di modem speedynya juga sudah dinat kan )
DNAT net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16 loc:192.168.10.29 tcp 443,5901 - 192.168.3.29
DNAT net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16 loc:192.168.10.20 tcp 3389,5900,5800 - 192.168.3.20
DNAT net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16 loc:192.168.10.28:5900 tcp 5902 - 192.168.3.28
DNAT net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16 loc:192.168.10.29:80 tcp 81 - 192.168.3.29
DNAT net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16 loc:192.168.10.31:80 tcp 82 - 192.168.3.31
DNAT net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16 loc:192.168.10.32:80 tcp 83 - 192.168.3.32
DNAT net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16 loc:192.168.10.15:5900 tcp 5903 - 192.168.3.15
#transparent proxy
REDIRECT loc 3127 tcp www -
rtrules
####################################################################################
#SOURCE DEST PROVIDER PRIORITY MASK
192.168.10.1 - SPEEDY1 1005
192.168.10.2 - SPEEDY1 1005
192.168.10.3 - SPEEDY1 1005
192.168.10.4 - SPEEDY1 1005
192.168.10.5 - SPEEDY1 1005
192.168.10.6 - SPEEDY1 1005
192.168.10.7 - SPEEDY1 1005
192.168.10.8 - SPEEDY1 1005
192.168.10.9 - SPEEDY1 1005
192.168.10.10 - SPEEDY1 1005
192.168.10.11 - SPEEDY1 1005
#192.168.10.20 - SPEEDY1 1005
192.168.10.15 - SPEEDY2 1001
192.168.10.16 - SPEEDY2 1001
192.168.10.17 - SPEEDY2 1001
192.168.10.18 - SPEEDY2 1001
192.168.10.19 - SPEEDY2 1001
192.168.10.21 - SPEEDY2 1001
192.168.10.22 - SPEEDY2 1001
192.168.10.23 - SPEEDY2 1001
192.168.10.24 - SPEEDY2 1001
192.168.10.25 - SPEEDY2 1001
192.168.10.26 - SPEEDY2 1001
192.168.10.27 - SPEEDY2 1001
#192.168.10.28 - SPEEDY1 1005
- 192.168.10.1 SPEEDY1 1005
- 192.168.10.2 SPEEDY1 1005
- 192.168.10.3 SPEEDY1 1005
- 192.168.10.4 SPEEDY1 1005
- 192.168.10.5 SPEEDY1 1005
- 192.168.10.6 SPEEDY1 1005
- 192.168.10.7 SPEEDY1 1005
- 192.168.10.8 SPEEDY1 1005
- 192.168.10.9 SPEEDY1 1005
- 192.168.10.10 SPEEDY1 1005
- 192.168.10.11 SPEEDY1 1005
- 192.168.10.20 SPEEDY1 1005
- 192.168.10.15 SPEEDY2 1001
- 192.168.10.16 SPEEDY2 1001
- 192.168.10.17 SPEEDY2 1001
- 192.168.10.18 SPEEDY2 1001
- 192.168.10.19 SPEEDY2 1001
- 192.168.10.21 SPEEDY2 1001
- 192.168.10.22 SPEEDY2 1001
- 192.168.10.23 SPEEDY2 1001
- 192.168.10.24 SPEEDY2 1001
- 192.168.10.25 SPEEDY2 1001
- 192.168.10.26 SPEEDY2 1001
- 192.168.10.27 SPEEDY2 1001
#- 192.168.10.28 SPEEDY1 1005
start
###############################################################################
##untuk memark cache proxy
iptables -A OUTPUT -t mangle -m tos --tos 0x04 -j MARK --set-mark 0x4
#AYODANCE
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 18901:18909 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 18901:18909 --set-tos Minimize-Delay #
#PW
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 29000 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 29000 --set-tos Minimize-Delay #
#RF
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 27780 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 27780 --set-tos Minimize-Delay #
#DOTTA
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 6000:6152 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 6000:6152 --set-tos Minimize-Delay #
#LUNA ONLINE
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 15000:15002 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 15000:15002 --set-tos Minimize-Delay #
#POKER
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 9339 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 9339 --set-tos Minimize-Delay #
#CSO
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 27017 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 27017 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 8001 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 8001 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 8001 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 8001 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 9015 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 9015 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 36567 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 36567 --set-tos Minimize-Delay
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 40300 --set-tos Minimize-Delay
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 40300 --set-tos Minimize-Delay
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 40404 --set-tos Minimize-Delay
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 40404 --set-tos Minimize-Delay
#mangle TOS with icmp does not seem to work. the 2.4 firewall still sucks
iptables -A PREROUTING -j TOS -m state --state NEW -t mangle -p icmp --icmp-type echo-request --set-tos Minimize-Delay # ping
iptables -A PREROUTING -j TOS -t mangle -p icmp --icmp-type echo-reply --set-tos Minimize-Delay # pong
iptables -A PREROUTING -j TOS -t mangle -p icmp --set-tos Maximize-Reliability # all other ICMP
# Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 2106 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 2106 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 2009 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 2009 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 7777 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 7777 --set-tos Minimize-Delay # Lineage II
# MOHAA
# 12203
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 12203 --set-tos Minimize-Delay # Mohaa
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 12203 --set-tos Minimize-Delay # Mohaa
# Diablo, Warcraft II & Warcraft III
# 6112-6119, 4000
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 4000 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 4000 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 6112 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 6112 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 6112 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 6112 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 6113:6119 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 6113:6119 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 6113:6119 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 6113:6119 --set-tos Minimize-Delay # Lineage II
#POINT BLANK
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 39120 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 39120 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 39190 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 39190 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 39100 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 39100 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 39110 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 39110 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 39220 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 39220 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 49100 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 49100 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 40000:40010 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 40000:40010 --set-tos Minimize-Delay # Lineage II
#CROSS FIRE
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 10009 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 10009 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 12060:12070 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 12060:12070 --set-tos Minimize-Delay # Lineage II
# World of Warcraft
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 8085 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 8085 --set-tos Minimize-Delay # Lineage II
# 3724
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 3724 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 3724 --set-tos Minimize-Delay # Lineage II
# DNS
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 53 --set-tos Minimize-Delay # DNS
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 53 --set-tos Minimize-Delay # DNS
# SSH in
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 22 --set-tos Minimize-Delay # SSH in
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 22 --set-tos Minimize-Delay # SSH in
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 22 --set-tos Minimize-Delay # SSH out
# FTP Data
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 20 --set-tos Maximize-Throughput # FTP Data
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 20 --set-tos Maximize-Throughput # FTP Data
# HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 80 --set-tos Maximize-Throughput # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 80 --set-tos Maximize-Throughput # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 90 --set-tos Minimize-Delay # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 90 --set-tos Minimize-Delay # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 443 --set-tos Minimize-Delay # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 443 --set-tos Minimize-Delay # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 8000:9900 --set-tos Maximize-Throughput # HTTP
# SNMP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 161 --set-tos Maximize-Reliability # SNMP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 162 --set-tos Maximize-Reliability # SNMP Trap
iptables -t mangle -A POSTROUTING -p tcp -m tos --tos Minimize-Delay -j CLASSIFY --set-class 10:2301
iptables -t mangle -A POSTROUTING -p udp -m tos --tos Minimize-Delay -j CLASSIFY --set-class 10:2301
iptables -t mangle -A OUTPUT -p tcp -m tos --tos Minimize-Delay -j CLASSIFY --set-class 10:2301
iptables -t mangle -A OUTPUT -p udp -m tos --tos Minimize-Delay -j CLASSIFY --set-class 10:2301
#script shaping bandwidth
/usr/local/bwbamboe2
return 0
Reference :
Document of www.shorewall.net, under the terms of the GNU Free Documentation License.
No comments:
Post a Comment