/* * tcng standard rate control * script for traffic * specifically limits outgoing web server * and outgoing torrent bandwidth */ #define SKYPE_RATE 90 #define INTERNAL_INTERFACE "eth0" #define EXTERNAL_INTERFACE "eth1" #define PORT_SSH 22 #define PORT_DNS 53 #define PORT_HTTP 80 #define PORT_HTTP_ALT 8080 #define PORT_HTTPS 443 #define PORT_POP 110 #define PORT_RTMP 1935 #define PORT_RTMP_PROXY 8888 #define PORT_NFS 2049 #define PORT_SQUID 3128 #define PORT_IPSEC 4500 #define PORT_IPERF 5001 #define PORT_GIT 9418 #define PORT_SKYPE_HOST1 18274 #define PORT_SKYPE_HOST11 18275 #define PORT_SKYPE_HOST6 18276 #define PORT_STATD_IN 32765 #define PORT_STATD_OUT 32766 #define PORT_MOUNTD 32767 #define PORT_TORRENT_HOST11 32110 #define PORT_TORRENT_HOST2 32111 #define IP_FW1_EXTERNAL 192.168.222.254 #define IP_HOST2 192.168.211.9 #define IP_HOST12 192.168.211.25 #define IP_HOST3 192.168.211.46 #define IP_HOST7 192.168.211.48 #define IP_HOST8 192.168.211.49 #define IP_HOST4 192.168.211.51 #define IP_HOST5 192.168.211.53 #define IP_HOST9 192.168.211.60 #define IP_HOST10 192.168.211.113 #define IP6_HOST4 2001:388:1e44:432:821f:2ff:fe2c:3d9d #define IP6_HOST3 2001:388:1e44:432:201:2eff:fe4c:710e /*#define IP_SUBNET2 192.168.2.0/24*/ #define IP_SUBNET2 192.168.2.0 #define IP_HURRICANE_ELECTRIC 213.188.122.111 #define IPPROTO_6IN4 41 //field ip_proto_6in4 = ip_hdr[9].b; /* protocol */ field tc_6in4 = (raw[20].ns >> 4) & 0xff; /* traffic class */ field ip6_src_6in4 = raw[28].ipv6; field ip6_dst_6in4 = raw[44].ipv6; /* 6in4 next header starts at 60 */ field udp_sport_6in4 = raw[60].ns; field udp_dport_6in4 = raw[62].ns; dev EXTERNAL_INTERFACE { egress { #if 0 class ( <$high> ) if ip_dst == IP_HURRICANE_ELECTRIC; #endif class ( <$medium> ) if (tcp_sport == PORT_HTTP) || (ip_proto == IPPROTO_6IN4 && udp_sport_6in4 == PORT_TORRENT_HOST2); class ( <$high> ) if ip_proto == IPPROTO_ICMP || tcp_dport == PORT_HTTP || tcp_dport == PORT_HTTP_ALT || tcp_dport == PORT_HTTPS || tcp_dport == PORT_RTMP || tcp_dport == PORT_GIT || ip_tos == 0x10 || tcp_sport == PORT_SKYPE_HOST6 || udp_sport == PORT_SKYPE_HOST6 || tcp_sport == PORT_SKYPE_HOST11 || udp_sport == PORT_SKYPE_HOST11 || tcp_sport == PORT_SKYPE_HOST1 || udp_sport == PORT_SKYPE_HOST1 || tcp_sport == PORT_POP || udp_dport == PORT_DNS || udp_sport == PORT_IPSEC || udp_dport == PORT_IPSEC || ip_src == IP_HOST12 || ip_src == IP_HOST7 || ip_src == IP_HOST8 || ip_src == IP_HOST4 || ip_src == IP_HOST5 || ip_src == IP_HOST9 || ip_src == IP_HOST10 || ip_src == IP_HOST3 || (ip_proto == IPPROTO_6IN4 && ip6_src_6in4 == IP6_HOST4) || (ip_proto == IPPROTO_6IN4 && ip6_src_6in4 == IP6_HOST3) || tcp_ack; class ( <$low> ) if 1; htb ( r2q 20 ) { class ( rate 900 kbps ) { class ( prio 1, rate 900 kbps ) { $high = class ( prio 1, rate 500 kbps, ceil 900 kbps ) { sfq ( perturb 10 sec ); }; $medium = class (prio 2, rate 300 kbps, ceil 750 kbps ) { sfq ( perturb 10 sec ); }; $low = class (prio 3, rate 100 kbps, ceil 200 kbps ) { sfq ( perturb 10 sec ); }; } } } } } dev INTERNAL_INTERFACE { egress { class ( <$interactive> ) if ip_proto == IPPROTO_ICMP || ip_tos == 0x10 || udp_sport == PORT_DNS || tcp_sport == PORT_DNS || tcp_sport == PORT_IPERF || tcp_dport == PORT_IPERF || tcp_sport == PORT_SSH || tcp_dport == PORT_SSH || tcp_dport == PORT_NFS || tcp_dport == PORT_STATD_IN || tcp_dport == PORT_MOUNTD; //|| tcp_ack; #if 0 class ( <$high> ) if meta_protocol == ETH_P_IPV6; #endif class ( <$medium> ) if ip_dst == IP_HOST2; class ( <$high> ) if tcp_sport == PORT_HTTP || tcp_sport == PORT_HTTP_ALT || tcp_sport == PORT_HTTPS || tcp_sport == PORT_RTMP || tcp_sport == PORT_GIT || tcp_dport == PORT_SKYPE_HOST6 || udp_dport == PORT_SKYPE_HOST6 || tcp_dport == PORT_SKYPE_HOST11 || udp_dport == PORT_SKYPE_HOST11 || tcp_dport == PORT_SKYPE_HOST1 || udp_dport == PORT_SKYPE_HOST1 || ip_src:24 == IP_SUBNET2 || ip_dst == IP_HOST12 || ip_dst == IP_HOST7 || ip_dst == IP_HOST8 || ip_dst == IP_HOST4 || ip_dst == IP_HOST5 || ip_dst == IP_HOST9 || ip_dst == IP_HOST10 || ip_dst == IP_HOST3 || ip6_dst == IP6_HOST4 || ip6_dst == IP6_HOST3 || tcp_sport == PORT_SQUID || udp_sport == PORT_SQUID; class ( <$low> ) if 1; htb ( r2q 250 ) { class ( rate 900 Mbps ) { $interactive = class ( prio 1, rate 800 Mbps ) { sfq ( perturb 10 sec ); }; class ( prio 1, rate 10 Mbps ) { $high = class ( prio 1, rate 6 Mbps, ceil 10 Mbps ) { sfq ( perturb 10 sec ); }; $medium = class (prio 2, rate 2 Mbps, ceil 4 Mbps ) { sfq ( perturb 10 sec ); }; $low = class (prio 3, rate 2 Mbps, ceil 3 Mbps ) { sfq ( perturb 10 sec ); }; } } } } }