<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000066"> This is my iptables_tc script. Create a file in /etc/init.d and the create the symlinks $ sudo update-rc.d iptables_tc detauls Please adapt it to your needs. The file has firewall functionality, routing SNAT and DNAT and bandwidth shaping. <a class="moz-txt-link-abbreviated" href="mailto:jferrando@alcudia:/etc/init.d$">jferrando@alcudia:/etc/init.d$</a> cat iptables_tc #!/bin/sh # # iptables_tc - ipables/tc init script # # Written by Jordi Ferrando # Debian.etch / Kubuntu feisty 7.04 # (GPL) NETPLC, <a class="moz-txt-link-abbreviated" href="mailto:jferrando@netplc.com">jferrando@netplc.com</a>, 17-may-2007 TC="/sbin/tc" IPTABLES="/sbin/iptables" start() { echo "Firewall NETPLC/alcudia ..." #Router linux with bandwith control and firewall #(c)NETPLC, J.Ferrando, Ene-2005/17-may-2007 #Interfaz eth0 10.54.10.2 / 255.255.255.0 (10.54.10.0/24, SEG-ROUTER-LINUX) # eth1 10.54.11.1 / 255.255.255.0 (10.54.11.0/24, LAN) # tun0 10.54.12.1 / 255.255.255.0 (10.54.12.0/24, OPENVPN) #Default gateway 10.54.10.1 #DNS servers 80.58.61.250, 80.58.61.254 #flush de reglas $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -t nat -F #------------------------------------------------------------------------- #DNAT tables #HTTP tcp/80 #iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 -p tcp --dport 80 -j DNAT --to 10.54.11.1 iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 -p tcp --dport 443 -j DNAT --to 10.54.11.71 #SMTP iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 -p tcp --dport 25 -j DNAT --to 10.54.11.71 #imaps iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 -p tcp --dport 993 -j DNAT --to 10.54.11.71 #POP3S iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 -p tcp --dport 995 -j DNAT --to 10.54.11.71 #Openvpn iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 -p udp --dport 1194 -j DNAT --to 10.54.11.1 #aMule iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 -p tcp --dport 4662 -j DNAT --to 10.54.11.66 iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 -p udp --dport 4672 -j DNAT --to 10.54.11.66 #------------------------------------------------------------------------- #ROUTER SNAT para la LAN iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE #------------------------------------------------------------------------- iptables -A INPUT -i lo -j ACCEPT #------------------------------------------------------------------------- #Reglas generales para conexiones ya establecidas iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i tun0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT #------------------------------------------------------------------------- #filtrado red eth0 (10.54.10.0/24) #http iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 80 -j ACCEPT #openvpn iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i eth0 -p udp --sport 1194 -j ACCEPT # #aMule iptables -A INPUT -i eth0 -p tcp --dport 4663 -j ACCEPT #iptables -A INPUT -i eth0 -p udp --dport 4673 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 4667 -j ACCEPT # iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #drop por defecto iptables -A INPUT -i eth0 -j DROP #------------------------------------------------------------------------- #acceso de la VPN, tun0 (10.54.12.0/24) iptables -A INPUT -i tun0 -j ACCEPT iptables -A FORWARD -i tun0 -j ACCEPT iptables -A FORWARD -s 192.168.8.0/24 -d 10.54.11.0/24 -j ACCEPT iptables -A FORWARD -s 10.54.11.0/24 -d 192.168.8.0/24 -j ACCEPT #-------------------------------------------------------------------------- #filtrado red eth1 (10.54.11.0/24) #La ip de la propia máquina (no hace falta habilitar el forward para una ip de la propia máquina) iptables -A INPUT -s 10.54.10.2 -j ACCEPT #servicios a la red local 10.54.11.0/255.255.255.0 #DNS iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 53 -j ACCEPT iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 53 -j ACCEPT iptables -A INPUT -s 10.54.11/24 -i eth1 -p udp --sport 53 -j ACCEPT iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p udp --dport 53 -j ACCEPT #Web server iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 80 -j ACCEPT iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 80 -j ACCEPT #iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 443 -j ACCEPT #iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 443 -j ACCEPT #imaps iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 993 -j ACCEPT iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 993 -j ACCEPT #pop3s iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 995 -j ACCEPT iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 995 -j ACCEPT #ntp / Network Time Protocol #iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 123 -j ACCEPT iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 123 -j ACCEPT #iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p udp --sport 123 -j ACCEPT iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p udp --dport 123 -j ACCEPT # iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --dport 123 -j ACCEPT iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p udp --dport 123 -j ACCEPT #Política por defecto a exterior #Tráfico web iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --sport 80 -j ACCEPT iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --sport 443 -j ACCEPT iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --dport 443 -j ACCEPT #Si no habilitamos el puerto de openvpn los PCs de la LAN no pueden aceptar conexiones de #clientes remotos a través de VPN iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p udp --sport 1194 -j ACCEPT iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p udp --dport 1194 -j ACCEPT iptables -A FORWARD -s 10.54.11.0/24 -d 10.54.12.0/24 -j ACCEPT iptables -A FORWARD -s 10.54.12.0/24 -d 10.54.11.0/24 -j ACCEPT #portjordi wireless iptables -A FORWARD -s 10.54.11.64 -m mac --mac-source 00:0D:54:9F:99:C5 -j ACCEPT iptables -A INPUT -s 10.54.11.64 -m mac --mac-source 00:0D:54:9F:99:C5 -j ACCEPT #portangela cable iptables -A FORWARD -s 10.54.11.65 -m mac --mac-source 00:E0:91:03:3C:EC -j ACCEPT iptables -A INPUT -s 10.54.11.65 -m mac --mac-source 00:E0:91:03:3C:EC -j ACCEPT #portangela wireless iptables -A FORWARD -s 10.54.11.66 -m mac --mac-source 00:0E:35:9D:83:C3 -j ACCEPT iptables -A INPUT -s 10.54.11.66 -m mac --mac-source 00:0E:35:9D:83:C3 -j ACCEPT #portjordi iptables -A FORWARD -s 10.54.11.70 -m mac --mac-source 00:08:0D:CD:CE:D9 -j ACCEPT iptables -A INPUT -s 10.54.11.70 -m mac --mac-source 00:08:0D:CD:CE:D9 -j ACCEPT #... #drop el resto iptables -A INPUT -i eth1 -j DROP iptables -A FORWARD -i eth1 -j DROP echo 1 > /proc/sys/net/ipv4/ip_forward #listar las tablas iptables -L -v -n iptables -L -v -n -t nat #Script tc / Traffic Control #J.Ferrando, 30-nov-2005 #Borrar clase entera tc qdisc del dev eth0 root #This command attaches queue discipline HTB to eth0 and gives it the "handle" 1:0. #This is just a name or identifier with which to refer to it below. #The default 12 means that any traffic that is not otherwise classified will be assigned to class 1:12. tc qdisc add dev eth0 root handle 1:0 htb default 20 tc class add dev eth0 parent 1:0 classid 1:1 htb rate 2880kbit ceil 2880kbit prio 1 burst 32k cburst 3200 tc class add dev eth0 parent 1:1 classid 1:5 htb rate 1920kbit ceil 2880kbit prio 5 burst 16k cburst 1600 tc class add dev eth0 parent 1:1 classid 1:10 htb rate 1280kbit ceil 2880kbit prio 10 burst 8k cburst 800 tc class add dev eth0 parent 1:1 classid 1:11 htb rate 1280kbit ceil 2880kbit prio 11 burst 8k cburst 800 tc class add dev eth0 parent 1:1 classid 1:15 htb rate 640kbit ceil 2880kbit prio 15 burst 2k cburst 200 tc class add dev eth0 parent 1:1 classid 1:20 htb rate 320kbit ceil 2880kbit prio 20 burst 1k cburst 100 tc class add dev eth0 parent 1:1 classid 1:25 htb rate 160kbit ceil 160kbit prio 25 burst 512 cburst 52 #tc class add dev eth0 parent 1:0 classid 1:1 htb rate 288kbit ceil 288kbit prio 1 burst 32k cburst 3200 #tc class add dev eth0 parent 1:1 classid 1:5 htb rate 192kbit ceil 288kbit prio 5 burst 16k cburst 1600 #tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbit ceil 288kbit prio 10 burst 8k cburst 800 #tc class add dev eth0 parent 1:1 classid 1:11 htb rate 128kbit ceil 288kbit prio 11 burst 8k cburst 800 #tc class add dev eth0 parent 1:1 classid 1:15 htb rate 64kbit ceil 288kbit prio 15 burst 2k cburst 200 #tc class add dev eth0 parent 1:1 classid 1:20 htb rate 32kbit ceil 288kbit prio 20 burst 1k cburst 100 #tc class add dev eth0 parent 1:1 classid 1:25 htb rate 16kbit ceil 16kbit prio 25 burst 512 cburst 52 # tc qdisc add dev eth0 parent 1:5 handle 5:0 sfq perturb 10 tc qdisc add dev eth0 parent 1:10 handle 10:0 sfq perturb 10 tc qdisc add dev eth0 parent 1:11 handle 11:0 sfq perturb 10 tc qdisc add dev eth0 parent 1:15 handle 15:0 sfq perturb 10 tc qdisc add dev eth0 parent 1:20 handle 20:0 sfq perturb 10 tc qdisc add dev eth0 parent 1:25 handle 25:0 sfq perturb 10 #Privileged computers (Whitelist) iptables -A OUTPUT -t mangle -o eth0 -j MARK --set-mark 20 iptables -A FORWARD -t mangle -i eth1 -o eth0 --source 10.54.11.1 -j MARK --set-mark 15 #portjordi wireless iptables -A FORWARD -t mangle -i eth1 -o eth0 --source 10.54.11.64 -j MARK --set-mark 15 #portangela cable iptables -A FORWARD -t mangle -i eth1 -o eth0 --source 10.54.11.65 -j MARK --set-mark 15 #portangela wireless iptables -A FORWARD -t mangle -i eth1 -o eth0 --source 10.54.11.66 -j MARK --set-mark 15 #... #Restrict computers (Blacklist) #iptables -A FORWARD -t mangle -i eth1 -o eth0 --source 10.54.8.71 -j MARK --set-mark 25 #Priority protocols # iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 80 -j MARK --set-mark 5 iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 80 -j MARK --set-mark 5 iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 443 -j MARK --set-mark 5 iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 443 -j MARK --set-mark 5 iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 25 -j MARK --set-mark 5 iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 25 -j MARK --set-mark 5 iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 993 -j MARK --set-mark 5 iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 993 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 80 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 80 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 443 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 443 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 25 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 25 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 993 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 993 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p udp --sport 1194 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p udp --dport 1194 -j MARK --set-mark 5 #sky.fm iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 8110 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 8110 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 8600 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 8600 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 8710 -j MARK --set-mark 5 iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 8710 -j MARK --set-mark 5 iptables -A FORWARD -t mangle -o eth0 -p icmp -j MARK --set-mark 5 # tc filter add dev eth0 protocol ip parent 1:0 prio 5 handle 5 fw flowid 1:5 tc filter add dev eth0 protocol ip parent 1:0 prio 10 handle 10 fw flowid 1:10 tc filter add dev eth0 protocol ip parent 1:0 prio 11 handle 11 fw flowid 1:11 tc filter add dev eth0 protocol ip parent 1:0 prio 15 handle 15 fw flowid 1:15 tc filter add dev eth0 protocol ip parent 1:0 prio 20 handle 20 fw flowid 1:20 tc filter add dev eth0 protocol ip parent 1:0 prio 25 handle 25 fw flowid 1:25 echo "Outbound shaping added to alcudia" } stop() { echo "stop ..." # Reset everything to a known state (cleared) #flush de reglas $IPTABLES -F $IPTABLES -X $IPTABLES -Z $IPTABLES -t nat -F #Borrar clase entera $TC qdisc del dev eth0 root echo "Shaping removed on alcudia" } status() { echo "[iptables]" $IPTABLES -L -v -n $IPTABLES -L -v -n -t nat echo "---- qdisc parameters ----------" #tc qdisc ls dev eth0 echo "---- Class parameters ----------" #tc class ls dev eth0 echo "---- filter parameters ---------" #tc filter ls dev eth0 #Print tc statictics #echo "---- tc class statistics -------" #tc -s -d class show dev eth0 echo "---- tc qdisc statistics -------" #tc -s -d qdisc show dev eth0 } restart() { echo "restart ..." start } reload() { echo "start ..." start } force_reload() { echo "force-reload ..." start } case $1 in start) start ;; stop) stop ;; status) status ;; restart) restart ;; reload) reload ;; force-reload) force_reload ;; *) echo "Usage: iptables_tc {start|stop|restart|reload|force-reload|status}" #echo "Usage: ${0##*/} {start|stop|restart|reload|status}" ;; esac exit 0 Donn escribió: <blockquote cite="mid:200711111227.02939.donn.ingle@gmail.com" type="cite"> <pre wrap="">Hi, I want to run an iptables command to allow my other machine to surf through my Kubuntu box. I used to put this into /etc/networking/netshare, but I can't recall how it got run exactly. How do I set this up on Gutsy (I don't savvy upstart yet) so it runs soon after the network interfaces have come to life? \d </pre> </blockquote> </body> </html>