1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Issue with Firewall Script for Download

Discussion in 'Networking Issues' started by hardcorerzeznik, Nov 15, 2011.

  1. hardcorerzeznik

    hardcorerzeznik Networkin' Nut Member

    Hello everyone,

    Firstly, please, forgive me my English - I'm from east part of Europe and from time to time I can make some mistakes ;)

    I have one WRT54GL-EU v1.1 with Tomato firmware version 1.28. In my network there are 2 PCs (connected via cable) and 2 laptops (via WIFI). All have static IP addresses.

    I have configured QoS for upload and everything works perfectly (for outbound traffic). My classification rules:

    regulki.jpg

    Now I want to create QoS for inbound traffic. I think the better way to achieve this target will be using firewall scripts, because with HTB script I can firstly divide my bandwidth for 6 users (4 with static IP + 2 random wifi clients - I have limited IP range to 6 addresses) and then divide it for services.

    In this script I want to create rules similar to these contained in outbound QoS. I have problem with 1 and 11 rules, because I don't know how to separate rules with size of transferred files - first rule is for files smaller than 512KB, second is for files bigger than 512KB - with these rules I want to divide web browsing from downloading files from services like RapidShare. Is it possible?

    First version of my script (only for services - I will add bandwidth limiter later because it's not problem for me):

    Code:
    modprobe ipt_layer7
    
    TCA="tc class add dev br0"
    
    TFA="tc filter add dev br0"
    
    TQA="tc qdisc add dev br0"
    
    SFQ="sfq perturb 10"
    
    tc qdisc del dev br0 root
    
    tc qdisc add dev br0 root handle 1: htb
    
    tc class add dev br0 parent 1: classid 1:1 htb rate 13312kbit
     
    $TCA parent 1:1 classid 1:10 htb rate 3994kbit ceil 13312kbit prio 0
    
    $TCA parent 1:1 classid 1:11 htb rate 3328kbit ceil 13312kbit prio 1
    
    $TCA parent 1:1 classid 1:12 htb rate 2662kbit ceil 13312kbit prio 2
    
    $TCA parent 1:1 classid 1:13 htb rate 1997kbit ceil 13312kbit prio 3
    
    $TCA parent 1:1 classid 1:14 htb rate 1331kbit ceil 13312kbit prio 4
     
    $TQA parent 1:10 handle 10: $SFQ
    
    $TQA parent 1:11 handle 11: $SFQ
    
    $TQA parent 1:12 handle 12: $SFQ
    
    $TQA parent 1:13 handle 13: $SFQ
    
    $TQA parent 1:14 handle 14: $SFQ
     
    $TFA parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10
    
    $TFA parent 1:0 prio 1 protocol ip handle 11 fw flowid 1:11
    
    $TFA parent 1:0 prio 2 protocol ip handle 12 fw flowid 1:12
    
    $TFA parent 1:0 prio 3 protocol ip handle 13 fw flowid 1:13
    
    $TFA parent 1:0 prio 4 protocol ip handle 14 fw flowid 1:14
     
    iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK --set-mark 10
    
    iptables -t mangle -A POSTROUTING -p tcp --sport 53 -j MARK --set-mark 10
    
    iptables -t mangle -A POSTROUTING -p udp --sport 53 -j MARK --set-mark 10
     
    iptables -t mangle -A POSTROUTING -p tcp --sport 7777 -j MARK --set-mark 11
    
    iptables -t mangle -A POSTROUTING -m layer7 --l7proto skypetoskype -j MARK --set-mark 11
    
    iptables -t mangle -A POSTROUTING -p tcp --sport 27000:27050 -j MARK --set-mark 11
    
    iptables -t mangle -A POSTROUTING -p udp --sport 27000:27050 -j MARK --set-mark 11
    
    iptables -t mangle -A POSTROUTING -p tcp -m mport --sports 88,3074 -j MARK --set-mark 11
    
    iptables -t mangle -A POSTROUTING -p udp -m mport --sports 88,3074 -j MARK --set-mark 11
     
    iptables -t mangle -A POSTROUTING -p tcp -m mport --sports 25,465,110,995,143,993 -j MARK --set-mark 12
    
    iptables -t mangle -A POSTROUTING -p tcp -m mport --sports 20,21 -j MARK --set-mark 12
    
    iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 12
     
    iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK --set-mark 13
    
    iptables -t mangle -A POSTROUTING -p tcp --sport 53 -j MARK --set-mark 13
    
    iptables -t mangle -A POSTROUTING -p udp --sport 53 -j MARK --set-mark 13
     
    iptables -t mangle -A POSTROUTING -p tcp -m mport --sports 1024:7776,7778:26999,27051:3073,3075:65535 -j MARK --set-mark 14
    
    iptables -t mangle -A POSTROUTING -p udp -m mport --sports 1024:7776,7778:26999,27051:3073,3075:65535 -j MARK --set-mark 14
    Interesting lines:

    Code:
    iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK --set-mark 10
    and

    Code:
    iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK --set-mark 13
    If this is possible - how I should modify these lines? Or what else should I add to script to achieve my target?

    Please, help me.

    With regards,

    HR
     

Share This Page