<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000066"> I use an own-written init script to enable iptables at start-up: /etc/init.d/iptables_tc: <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="Generator" content="Kate, the KDE Advanced Text Editor"> <pre>#!/bin/sh # # iptables_tc - ipables/tc init script # # wRitten by Jordi Ferrando # Debian.etch # <a class="moz-txt-link-abbreviated" href="mailto:jferrando@netplc.com">jferrando@netplc.com</a> TC="/sbin/tc" IPTABLES="/sbin/iptables" start() { echo "Starting outbound shaping..." # Reset everything to a known state (cleared) #flush de reglas $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -t nat -F #Borrar clase entera $TC qdisc del dev eth0 root #Router linux con firewall y traffic shaping #(c)NETPLC, J.Ferrando, Ene-2005/1-Dic-2005 #Interfaz eth0 192.168.7.5/255.255.255.248 (192.168.7.1 .. 192.168.7.6, broadcast 192.168.7.7, 192.168.7.0/29) # eth1 192.168.8.5/255.255.255.0 (192.168.8.0/24, LAN) #Default gateway 192.168.7.1 #DNAT tables #HTTP tcp/80 iptables --table nat --append PREROUTING -i eth0 -d 192.168.7.5 -p tcp --dport 80 -j DNAT --to 192.168.8.5 (...) #ROUTER SNAT para la LAN iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE #Firewall red 192.168.8.0/24 iptables -A FORWARD -s 192.168.8.5 -j ACCEPT iptables -A INPUT -s 192.168.8.5 -j ACCEPT #servicios a la red local surera #DNS iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p tcp --sport 53 -j ACCEPT iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p udp --sport 53 -j ACCEPT iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p udp --dport 53 -j ACCEPT (...) #Acceso internet #portpascual iptables -A FORWARD -s 192.168.8.70 -i eth1 -m mac --mac-source 00:08:0D:C8:CE:D9 -j ACCEPT (...) #Acceso al servidor #particularidades ordenadores #portpascual iptables -A INPUT -s 192.168.8.70 -i eth1 -m mac --mac-source 00:08:0D:C8:CE:D9 -j ACCEPT (...) #Default policy INPUT iptables -A INPUT -s 192.168.8.0/24 -i eth1 -j DROP #Default polity FORWARD iptables -A FORWARD -s 192.168.8.0/24 -i eth1 -j DROP #Filtrado de red 192.168.7.0/248 iptables -A INPUT -s 192.168.7.1 -i eth0 -m mac --mac-source 00:13:49:19:BE:A4 -j ACCEPT iptables -A INPUT -s 192.168.7.0/29 -i eth0 -j DROP echo 1 > /proc/sys/net/ipv4/ip_forward #tc "Traffic Control" #This command attaches queue discipline HTB to eth0 and gives it the "handle" 1:0 #This is just a name or identifier with which to refer to it below. The default 20 means that #any traffic that is not otherwise classified will be assigned to class 1:20 tc qdisc add dev eth0 root handle 1:0 htb default 20 #tc class add dev eth0 parent 1:0 classid 1:1 htb rate 576kbit ceil 576kbit prio 1 burst 32k cburst 32k tc class add dev eth0 parent 1:0 classid 1:1 htb rate 576kbit ceil 576kbit prio 1 burst 32k cburst 3200 #tc class add dev eth0 parent 1:1 classid 1:5 htb rate 384kbit ceil 576kbit prio 5 burst 16k cburst 16k tc class add dev eth0 parent 1:1 classid 1:5 htb rate 384kbit ceil 576kbit prio 5 burst 16k cburst 1600 #tc class add dev eth0 parent 1:1 classid 1:10 htb rate 256kbit ceil 576kbit prio 10 burst 8k cburst 8k tc class add dev eth0 parent 1:1 classid 1:10 htb rate 256kbit ceil 576kbit prio 10 burst 8k cburst 800 #tc class add dev eth0 parent 1:1 classid 1:15 htb rate 128kbit ceil 576kbit prio 15 burst 4k cburst 4k tc class add dev eth0 parent 1:1 classid 1:15 htb rate 128kbit ceil 576kbit prio 15 burst 4k cburst 400 #tc class add dev eth0 parent 1:1 classid 1:20 htb rate 64kbit ceil 576kbit prio 20 burst 2k cburst 2k tc class add dev eth0 parent 1:1 classid 1:20 htb rate 64kbit ceil 576kbit prio 20 burst 2k cburst 200 #tc class add dev eth0 parent 1:1 classid 1:25 htb rate 8kbit ceil 16kbit prio 25 burst 1k cburst 1k tc class add dev eth0 parent 1:1 classid 1:25 htb rate 2kbit ceil 4kbit prio 25 burst 8 cburst 8 # tc qdisc add dev eth0 parent 1:5 handle 5:0 sfq perturb 10 tc qdisc add dev eth0 parent 1:10 handle 10:0 sfq perturb 10 tc qdisc add dev eth0 parent 1:15 handle 15:0 sfq perturb 10 tc qdisc add dev eth0 parent 1:20 handle 20:0 sfq perturb 10 iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --sport 80 -j MARK --set-mark 10 iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --dport 80 -j MARK --set-mark 10 iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --sport 443 -j MARK --set-mark 10 iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --dport 443 -j MARK --set-mark 10 #Privileged computers (Whitelist) #surera iptables -A OUTPUT -t mangle -o eth0 --source 192.168.7.5 -j MARK --set-mark 5 (...) # tc filter add dev eth0 protocol ip parent 1:0 prio 5 handle 5 fw flowid 1:5 tc filter add dev eth0 protocol ip parent 1:0 prio 10 handle 10 fw flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 15 handle 15 fw flowid 1:15 tc filter add dev eth0 protocol ip parent 1:0 prio 20 handle 20 fw flowid 1:20 tc filter add dev eth0 protocol ip parent 1:0 prio 25 handle 25 fw flowid 1:25 #Print tc statictics #tc -s -d class show dev eth0 #tc -s -d qdisc show dev eth0 echo "Outbound shaping added to surera" } stop() { echo "stop ..." # Reset everything to a known state (cleared) #flush de reglas $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -t nat -F #Borrar clase entera $TC qdisc del dev eth0 root echo "Shaping removed on surera" } status() { echo "[iptables]" $IPTABLES -L -v -n $IPTABLES -L -v -n -t nat echo "---- qdisc parameters ----------" tc qdisc ls dev eth0 echo "---- Class parameters ----------" tc class ls dev eth0 echo "---- filter parameters ---------" tc filter ls dev eth0 #Print tc statictics echo "---- tc class statistics -------" tc -s -d class show dev eth0 echo "---- tc qdisc statistics -------" tc -s -d qdisc show dev eth0 } restart() { echo "restart ..." start } reload() { echo "start ..." start } force_reload() { echo "force-reload ..." start } case $1 in start) start ;; stop) stop ;; status) status ;; restart) restart ;; reload) reload ;; force-reload) force_reload ;; *) echo "Usage: iptables_tc {start|stop|restart|reload|force-reload|status}" #echo "Usage: ${0##*/} {start|stop|restart|reload|status}" ;; esac exit 0 </pre> C Hamel wrote: <blockquote cite="mid200601261710.07894.yogich@sc2000.net" type="cite"> <pre wrap="">(1) I have set up NAT on kubuntu the same as I did on three other distros --and was delighted that I didn't have to roll my own kernel, this time! :-) The rub lies in the fact that I do not know where to save the iptables file. The command, '/etc/init.d/iptables save' yields an error because the directory is not there. Obviously, the Debian architecture is different from Gentoo/SuSE/Red Hat, et. al., and I am uncertain as to where to save the rules. Consequently (for now) I have unlocked root access to VTs & created the 'boot.local' file in /etc/init.d with the necessary commands in it which symlink resides in /etc/rcS.d (again, for now, hopefully) until I can find out where it actually belongs. I didn't find it in the docs. Did I miss something? (2) I like the screen to clear when I log out from a VT. SuSE had a neat file in /etc/bash called 'bash_logout' in which one could enter the word 'clear' and that would happen automagically from then, on. I emulated that w/Gentoo but it doesn't seem to work in Debian. Again, no /etc/bash directory and when it was created it was ignored. Anyone able to solve these issues will have my blessing. ;-) Thanks! </pre> </blockquote> </body> </html>