Sunday, September 09, 2012

BACKUP MY SHOREWALL CONFIGURASI (UPDATE)

Ini adalah configurasi shorewall yang saya gunakan di router, dimana di router, ada squid dan load balancing.
# shorewall version -a
shorewall-core: 4.5.5.3
shorewall: 4.5.5.3

shorewall.conf
STARTUP_ENABLED=Yes
VERBOSITY=1

###############################################################################
#                               L O G G I N G
###############################################################################
BLACKLIST_LOGLEVEL=

LOG_MARTIANS=Yes

LOG_VERBOSITY=2

LOGALLNEW=

LOGFILE=/var/log/messages

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGLIMIT=

MACLIST_LOG_LEVEL=info

RELATED_LOG_LEVEL=

SFILTER_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

STARTUP_LOG=/var/log/shorewall-init.log

TCP_FLAGS_LOG_LEVEL=info

###############################################################################
#       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
###############################################################################

CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

GEOIPDIR=/usr/share/xt_geoip/LE

IPTABLES=

IP=

IPSET=

LOCKFILE=

MODULESDIR=

PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"

PERL=/usr/bin/perl

RESTOREFILE=restore

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=/var/lock/subsys/shorewall

TC=

###############################################################################
#               D E F A U L T   A C T I O N S / M A C R O S
###############################################################################

ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject

###############################################################################
#                        R S H / R C P  C O M M A N D S
###############################################################################

RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'

###############################################################################
#                       F I R E W A L L   O P T I O N S
###############################################################################

ACCOUNTING=Yes

ACCOUNTING_TABLE=filter

ADD_IP_ALIASES=Yes

ADD_SNAT_ALIASES=Yes

ADMINISABSENTMINDED=Yes

AUTO_COMMENT=Yes

AUTOMAKE=No

BLACKLISTNEWONLY=Yes

CLAMPMSS=No

CLEAR_TC=Yes

COMPLETE=No

DELETE_THEN_ADD=Yes

DETECT_DNAT_IPADDRS=No

DISABLE_IPV6=No

DONT_LOAD=

DYNAMIC_BLACKLIST=Yes

EXPAND_POLICIES=Yes

EXPORTMODULES=Yes

FASTACCEPT=No

FORWARD_CLEAR_MARK=

IMPLICIT_CONTINUE=No

IPSET_WARNINGS=Yes

IP_FORWARDING=On

KEEP_RT_TABLES=No

LEGACY_FASTSTART=Yes

LOAD_HELPERS_ONLY=No

MACLIST_TABLE=filter

MACLIST_TTL=

MANGLE_ENABLED=Yes

MAPOLDACTIONS=No

MARK_IN_FORWARD_CHAIN=No

MODULE_SUFFIX=ko

MULTICAST=No

MUTEX_TIMEOUT=60

NULL_ROUTE_RFC1918=No

OPTIMIZE=0

OPTIMIZE_ACCOUNTING=Yes

REQUIRE_INTERFACE=No

RESTORE_DEFAULT_ROUTE=Yes

RETAIN_ALIASES=No

ROUTE_FILTER=No

SAVE_IPSETS=No

TC_ENABLED=Simple

TC_EXPERT=Yes

TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

TRACK_PROVIDERS=Yes

USE_DEFAULT_RT=Yes

USE_PHYSICAL_NAMES=No

ZONE2ZONE=2

###############################################################################
#                       P A C K E T   D I S P O S I T I O N
###############################################################################

BLACKLIST_DISPOSITION=DROP

MACLIST_DISPOSITION=REJECT

RELATED_DISPOSITION=ACCEPT

SMURF_DISPOSITION=DROP

SFILTER_DISPOSITION=DROP

TCP_FLAGS_DISPOSITION=DROP

################################################################################
#                       P A C K E T  M A R K  L A Y O U T
################################################################################

TC_BITS=0

PROVIDER_BITS=

PROVIDER_OFFSET=

MASK_BITS=8

ZONE_BITS=4

################################################################################
#                            L E G A C Y  O P T I O N
#                      D O  N O T  D E L E T E  O R  A L T E R
################################################################################

IPSECFILE=zones

Zones
fw      firewall
loc     ipv4
net     ipv4

interfaces
###############################################################################
FORMAT 2
###############################################################################
#ZONE           INTERFACE               OPTIONS
loc     eth0    -
net     eth1    -
net     eth2    -

masq

######################################################################################################
#INTERFACE:DEST         SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/   SWITCH
eth1    0.0.0.0/0       192.168.3.30
eth2    0.0.0.0/0       192.168.1.30

providers
############################################################################################
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS         COPY
SPEEDY1 1       1       -       eth1    192.168.3.1     loose,track,balance     -
SPEEDY2 2       2       -       eth2    192.168.1.1     loose,track,balance     -

nat
###############################################################################
#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
#                                               INTERFACES
192.168.3.20    eth1    192.168.10.20   no      no
192.168.3.28    eth1    192.168.10.28   no      no
192.168.3.29    eth1    192.168.10.29   no      no
192.168.3.31    eth1    192.168.10.31   no      no
192.168.3.32    eth1    192.168.10.32   no      no
192.168.3.15    eth1    192.168.10.15   no      no
# cat policy

###############################################################################
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK
#loc    net     ACCEPT
#loc    fw      ACCEPT
fw      loc     ACCEPT
fw      net     ACCEPT
net     all     DROP
all     all     REJECT

# cat rules
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
######################################################################################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME         HEADERS         SWITCH
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
ACCEPT          loc     fw      icmp    8
ACCEPT          loc     fw      tcp     22,80,53,5353,161
ACCEPT          loc     fw      udp     53,5353,161
#Ip computer yang boleh akses semuanya,
ACCEPT          loc:192.168.10.20,192.168.10.28         net     -       -
#akses router ini dari Ip luar untuk remote
ACCEPT          net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16      fw      tcp     22,80       -
#reject computer client supaya ndak bisa akses ke ip lan dan public modemnya speedy
REJECT          loc     net:192.168.1.1 -       -
REJECT          loc     net:[ippublicspeedy]     -       -
REJECT          loc     net:192.168.3.1 -       -
REJECT          loc     net:[ippiblicspeedy]      -       -
#kemudian client accept ke semuanya
ACCEPT          loc:192.168.10.1-192.168.10.32     net     -       -

#dan beberapa aplikasi bisa diakses / diremote dari luar, khusus untuk ip tertentu saja. (di modem speedynya juga sudah dinat kan )
DNAT            net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16        loc:192.168.10.29       tcp     443,5901     -       192.168.3.29
DNAT            net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16        loc:192.168.10.20       tcp     3389,5900,5800  -       192.168.3.20
DNAT            net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16        loc:192.168.10.28:5900  tcp     5902            -       192.168.3.28
DNAT            net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16        loc:192.168.10.29:80    tcp     81              -       192.168.3.29
DNAT            net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16        loc:192.168.10.31:80    tcp     82              -       192.168.3.31
DNAT            net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16        loc:192.168.10.32:80    tcp     83              -       192.168.3.32
DNAT            net:125.167.0.0/16,118.97.45.0/24,180.249.0.0/16        loc:192.168.10.15:5900  tcp     5903            -       192.168.3.15

#transparent proxy
REDIRECT        loc     3127    tcp     www     -

rtrules

####################################################################################
#SOURCE                 DEST                    PROVIDER        PRIORITY        MASK
192.168.10.1    -       SPEEDY1 1005
192.168.10.2    -       SPEEDY1 1005
192.168.10.3    -       SPEEDY1 1005
192.168.10.4    -       SPEEDY1 1005
192.168.10.5    -       SPEEDY1 1005
192.168.10.6    -       SPEEDY1 1005
192.168.10.7    -       SPEEDY1 1005
192.168.10.8    -       SPEEDY1 1005
192.168.10.9    -       SPEEDY1 1005
192.168.10.10   -       SPEEDY1 1005
192.168.10.11   -       SPEEDY1 1005
#192.168.10.20  -       SPEEDY1 1005
192.168.10.15   -       SPEEDY2 1001
192.168.10.16   -       SPEEDY2 1001
192.168.10.17   -       SPEEDY2 1001
192.168.10.18   -       SPEEDY2 1001
192.168.10.19   -       SPEEDY2 1001
192.168.10.21   -       SPEEDY2 1001
192.168.10.22   -       SPEEDY2 1001
192.168.10.23   -       SPEEDY2 1001
192.168.10.24   -       SPEEDY2 1001
192.168.10.25   -       SPEEDY2 1001
192.168.10.26   -       SPEEDY2 1001
192.168.10.27   -       SPEEDY2 1001
#192.168.10.28  -       SPEEDY1 1005
-       192.168.10.1    SPEEDY1 1005
-       192.168.10.2    SPEEDY1 1005
-       192.168.10.3    SPEEDY1 1005
-       192.168.10.4    SPEEDY1 1005
-       192.168.10.5    SPEEDY1 1005
-       192.168.10.6    SPEEDY1 1005
-       192.168.10.7    SPEEDY1 1005
-       192.168.10.8    SPEEDY1 1005
-       192.168.10.9    SPEEDY1 1005
-       192.168.10.10   SPEEDY1 1005
-       192.168.10.11   SPEEDY1 1005
-       192.168.10.20   SPEEDY1 1005
-       192.168.10.15   SPEEDY2 1001
-       192.168.10.16   SPEEDY2 1001
-       192.168.10.17   SPEEDY2 1001
-       192.168.10.18   SPEEDY2 1001
-       192.168.10.19   SPEEDY2 1001
-       192.168.10.21   SPEEDY2 1001
-       192.168.10.22   SPEEDY2 1001
-       192.168.10.23   SPEEDY2 1001
-       192.168.10.24   SPEEDY2 1001
-       192.168.10.25   SPEEDY2 1001
-       192.168.10.26   SPEEDY2 1001
-       192.168.10.27   SPEEDY2 1001
#-      192.168.10.28   SPEEDY1 1005


start
###############################################################################
##untuk memark cache proxy
iptables -A OUTPUT -t mangle -m tos --tos 0x04 -j MARK --set-mark 0x4


#AYODANCE
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 18901:18909 --set-tos Minimize-Delay  #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 18901:18909 --set-tos Minimize-Delay #

#PW
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 29000 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 29000 --set-tos Minimize-Delay #

#RF
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 27780 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 27780 --set-tos Minimize-Delay #

#DOTTA
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 6000:6152 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 6000:6152 --set-tos Minimize-Delay #

#LUNA ONLINE
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 15000:15002 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 15000:15002 --set-tos Minimize-Delay #

#POKER
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 9339 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 9339 --set-tos Minimize-Delay #


#CSO
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 27017 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 27017 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 8001 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 8001 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 8001 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 8001 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 9015 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 9015 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 36567 --set-tos Minimize-Delay #
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 36567 --set-tos Minimize-Delay
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 40300 --set-tos Minimize-Delay
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 40300 --set-tos Minimize-Delay
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 40404 --set-tos Minimize-Delay
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 40404 --set-tos Minimize-Delay

#mangle TOS with icmp does not seem to work. the 2.4 firewall still sucks
 iptables -A PREROUTING -j TOS -m state --state NEW -t mangle -p icmp --icmp-type echo-request --set-tos Minimize-Delay # ping
 iptables -A PREROUTING -j TOS -t mangle -p icmp --icmp-type echo-reply --set-tos Minimize-Delay # pong
 iptables -A PREROUTING -j TOS -t mangle -p icmp --set-tos Maximize-Reliability # all other ICMP

# Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 2106 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 2106 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 2009 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 2009 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 7777 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 7777 --set-tos Minimize-Delay # Lineage II

# MOHAA
# 12203
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 12203 --set-tos Minimize-Delay # Mohaa
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 12203 --set-tos Minimize-Delay # Mohaa
# Diablo, Warcraft II & Warcraft III
# 6112-6119, 4000
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 4000 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 4000 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 6112 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 6112 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 6112 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 6112 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 6113:6119 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 6113:6119 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 6113:6119 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 6113:6119 --set-tos Minimize-Delay # Lineage II

#POINT BLANK
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 39120 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 39120 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 39190 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 39190 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 39100 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 39100 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 39110 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 39110 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 39220 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 39220 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 49100 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 49100 --set-tos Minimize-Delay # Lineage II

iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 40000:40010 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 40000:40010 --set-tos Minimize-Delay # Lineage II

#CROSS FIRE
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 10009 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 10009 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --sport 12060:12070 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 12060:12070 --set-tos Minimize-Delay # Lineage II


# World of Warcraft
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 8085 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 8085 --set-tos Minimize-Delay # Lineage II
# 3724
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 3724 --set-tos Minimize-Delay # Lineage II
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 3724 --set-tos Minimize-Delay # Lineage II

# DNS
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 53 --set-tos Minimize-Delay # DNS
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 53 --set-tos Minimize-Delay # DNS

# SSH in
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 22 --set-tos Minimize-Delay # SSH in
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 22 --set-tos Minimize-Delay # SSH in
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 22 --set-tos Minimize-Delay # SSH out

# FTP Data
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 20 --set-tos Maximize-Throughput # FTP Data
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 20 --set-tos Maximize-Throughput # FTP Data

# HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 80 --set-tos Maximize-Throughput # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 80 --set-tos Maximize-Throughput # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 90 --set-tos Minimize-Delay # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 90 --set-tos Minimize-Delay # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --sport 443 --set-tos Minimize-Delay # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 443 --set-tos Minimize-Delay # HTTP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p tcp --dport 8000:9900 --set-tos Maximize-Throughput # HTTP


# SNMP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 161 --set-tos Maximize-Reliability # SNMP
iptables -A PREROUTING -j TOS -m state --state NEW,ESTABLISHED,RELATED -t mangle -p udp --dport 162 --set-tos Maximize-Reliability # SNMP Trap

iptables -t mangle -A POSTROUTING -p tcp -m tos --tos Minimize-Delay  -j CLASSIFY --set-class 10:2301
iptables -t mangle -A POSTROUTING -p udp -m tos --tos Minimize-Delay  -j CLASSIFY --set-class 10:2301
iptables -t mangle -A OUTPUT  -p tcp -m tos --tos Minimize-Delay  -j CLASSIFY --set-class 10:2301
iptables -t mangle -A OUTPUT  -p udp -m tos --tos Minimize-Delay  -j CLASSIFY --set-class 10:2301

#script shaping bandwidth
/usr/local/bwbamboe2

return 0

Reference :
Document of www.shorewall.net, under the terms of the GNU Free Documentation License.
By di
Label: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)