1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help with someone who knows firewall scripts.

Discussion in 'Tomato Firmware' started by kripz, Dec 24, 2007.

  1. kripz

    kripz LI Guru Member

    Trying to create a whitelist to limit bandwidth. My sync speed is 1536/256 kbps.

    Simple rules in order:

    1. Do not limit (or set to 1536/256) MAC 00:00:00:00:00.
    2. Do not limit (or set to 1536/256) MAC 00:00:00:00:01.
    3. Do not limit (or set to 1536/256) MAC 00:00:00:00:02.
    4. Do not limit (or set to 1536/256) MAC 00:00:00:00:03.
    5. Limit IP range 192.168.1.2 -> 192.168.1.254 (or all MAC/IP's) to 50/6 kbps.

    Hopefully the firewall checks down the list and if no rules matches it applies rule 5. If a match is found it applies the rule and stops checking.

    The script generator cant do what i want so i need someone how knows to script to whip one up for me:halo:
     
  2. u3gyxap

    u3gyxap Network Guru Member

    TCA="tc class add dev br0"
    TFA="tc filter add dev br0"
    TQA="tc qdisc add dev br0"
    SFQ="sfq perturb 10"
    tc qdisc del dev br0 root
    tc qdisc add dev br0 root handle 1: htb
    tc class add dev br0 parent 1: classid 1:1 htb rate 1500kbit
    $TCA parent 1:1 classid 1:14 htb rate 50kbit ceil 60kbit prio 2
    $TQA parent 1:14 handle 14: $SFQ
    $TFA parent 1:0 prio 2 protocol ip handle 14 fw flowid 1:14
    iptables -t mangle -A POSTROUTING -m iprange --dst-range 192.168.1.2-192.168.1.254 -j MARK --set-mark 14
    TCAU="tc class add dev imq0"
    TFAU="tc filter add dev imq0"
    TQAU="tc qdisc add dev imq0"
    modprobe imq
    modprobe ipt_IMQ
    ip link set imq0 up
    tc qdisc del dev imq0 root
    tc qdisc add dev imq0 root handle 1: htb
    tc class add dev imq0 parent 1: classid 1:1 htb rate 250kbit
    $TCAU parent 1:1 classid 1:10 htb rate 61kbit ceil 250kbit prio 1
    $TCAU parent 1:1 classid 1:11 htb rate 61kbit ceil 250kbit prio 1
    $TCAU parent 1:1 classid 1:12 htb rate 61kbit ceil 250kbit prio 1
    $TCAU parent 1:1 classid 1:13 htb rate 61kbit ceil 250kbit prio 1
    $TCAU parent 1:1 classid 1:14 htb rate 6kbit ceil 10kbit prio 2
    $TQAU parent 1:10 handle 10: $SFQ
    $TQAU parent 1:11 handle 11: $SFQ
    $TQAU parent 1:12 handle 12: $SFQ
    $TQAU parent 1:13 handle 13: $SFQ
    $TQAU parent 1:14 handle 14: $SFQ
    $TFAU parent 1:0 prio 2 protocol ip handle 14 fw flowid 1:14
    iptables -t mangle -A PREROUTING -m mac --mac-source 00:00:00:00:00:00 -j MARK --set-mark 10
    iptables -t mangle -A PREROUTING -m mac --mac-source 00:00:00:00:00:01 -j MARK --set-mark 11
    iptables -t mangle -A PREROUTING -m mac --mac-source 00:00:00:00:00:02 -j MARK --set-mark 12
    iptables -t mangle -A PREROUTING -m mac --mac-source 00:00:00:00:00:03 -j MARK --set-mark 13
    iptables -t mangle -A PREROUTING -m iprange --src-range 192.168.1.2-192.168.1.254 -j MARK --set-mark 14
    iptables -t mangle -A PREROUTING -j IMQ --todev 0
     
  3. kripz

    kripz LI Guru Member

    Thanks, will try in a sec but first im trying to get my head around this:
    Code:
    tc class add dev br0 parent 1: classid 1:1 htb rate 1500kbit
    $TCA parent 1:1 classid 1:14 htb rate 50kbit ceil 60kbit prio 2
    $TQA parent 1:14 handle 14: $SFQ
    $TFA parent 1:0 prio 2 protocol ip handle 14 fw flowid 1:14
    iptables -t mangle -A POSTROUTING -m iprange --dst-range 192.168.1.2-192.168.1.254 -j MARK --set-mark 14
    That limits x.2-x.254 to download at 50, where does it allow the 4 macs to download at fullspeed (as the computer with the specified MACS use an ip from the above range)?
    Code:
    tc class add dev imq0 parent 1: classid 1:1 htb rate 250kbit
    $TCAU parent 1:1 classid 1:10 htb rate 61kbit ceil 250kbit prio 1
    $TCAU parent 1:1 classid 1:11 htb rate 61kbit ceil 250kbit prio 1
    $TCAU parent 1:1 classid 1:12 htb rate 61kbit ceil 250kbit prio 1
    $TCAU parent 1:1 classid 1:13 htb rate 61kbit ceil 250kbit prio 1
    $TCAU parent 1:1 classid 1:14 htb rate 6kbit ceil 10kbit prio 2
    What is the 61kbit for? Is that for even bandwidth distribution?

    If all 4 computers are online and uploading at the same time they get limited to 61kbps?

    Id rather 1 computer upload at max while the others go at 0.01kpbs. Can i change the value to 0kbit or 1kbit? Is it possible to not have it?

    If i cant remove it and if i add more MACS do i have to change the 61 to no. clients / 250?

    EDIT:

    also my sync speeds were 1536/256 kbps, i have to convert it to kbit/s? 1536*8/256*8?
     
  4. kripz

    kripz LI Guru Member

    Just tested this:

    Code:
    TCA="tc class add dev br0"
    TFA="tc filter add dev br0"
    TQA="tc qdisc add dev br0"
    SFQ="sfq perturb 10"
    tc qdisc del dev br0 root
    tc qdisc add dev br0 root handle 1: htb
    tc class add dev br0 parent 1: classid 1:1 htb rate 1500kbps
    $TCA parent 1:1 classid 1:99 htb rate 1kbps ceil 50kbps prio 2
    $TQA parent 1:99 handle 99: $SFQ
    $TFA parent 1:0 prio 2 protocol ip handle 99 fw flowid 1:99
    iptables -t mangle -A POSTROUTING -m iprange --dst-range 192.168.1.2-192.168.1.254 -j MARK --set-mark 99
    TCAU="tc class add dev imq0"
    TFAU="tc filter add dev imq0"
    TQAU="tc qdisc add dev imq0"
    modprobe imq
    modprobe ipt_IMQ
    ip link set imq0 up
    tc qdisc del dev imq0 root
    tc qdisc add dev imq0 root handle 1: htb
    tc class add dev imq0 parent 1: classid 1:1 htb rate 250kbps
    $TCAU parent 1:1 classid 1:10 htb rate 1kbps ceil 250kbps prio 1
    $TCAU parent 1:1 classid 1:11 htb rate 1kbps ceil 250kbps prio 1
    $TCAU parent 1:1 classid 1:12 htb rate 1kbps ceil 250kbps prio 1
    $TCAU parent 1:1 classid 1:13 htb rate 1kbps ceil 250kbps prio 1
    $TCAU parent 1:1 classid 1:14 htb rate 1kbps ceil 250kbps prio 1
    $TCAU parent 1:1 classid 1:99 htb rate 1kbps ceil 6kbps prio 2
    $TQAU parent 1:10 handle 10: $SFQ
    $TQAU parent 1:11 handle 11: $SFQ
    $TQAU parent 1:12 handle 12: $SFQ
    $TQAU parent 1:13 handle 13: $SFQ
    $TQAU parent 1:14 handle 14: $SFQ
    $TQAU parent 1:99 handle 99: $SFQ
    $TFAU parent 1:0 prio 2 protocol ip handle 99 fw flowid 1:99
    iptables -t mangle -A PREROUTING -m mac --mac-source 00:0D:00:00:00:61 -j MARK --set-mark 10
    iptables -t mangle -A PREROUTING -m mac --mac-source 00:17:00:00:00:BB -j MARK --set-mark 11
    iptables -t mangle -A PREROUTING -m mac --mac-source 00:1D:00:00:00:8B -j MARK --set-mark 12
    iptables -t mangle -A PREROUTING -m mac --mac-source 00:16:00:00:00:28 -j MARK --set-mark 13
    iptables -t mangle -A PREROUTING -m mac --mac-source 00:19:00:00:00:02 -j MARK --set-mark 14
    iptables -t mangle -A PREROUTING -m iprange --src-range 192.168.1.2-192.168.1.254 -j MARK --set-mark 99
    iptables -t mangle -A PREROUTING -j IMQ --todev 0
    MACS on the list download at fullspeed but MACS not on the list also download at fullspeed? they should be limited to 50kpbs. I did not test uploading.

    Those are not my real MACS, however during testing i had the correct macs.
     
  5. voxabox

    voxabox LI Guru Member

  6. kripz

    kripz LI Guru Member

    ....
     

Share This Page