verzia 2.57, 2008/02/02 22:57:54 |
verzia 2.58, 2008/04/13 19:27:00 |
|
|
# Licensed under terms of GNU General Public License. |
# Licensed under terms of GNU General Public License. |
# All rights reserved. |
# All rights reserved. |
# |
# |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.56 2008-01-27 13:36:02 rajo Exp $ |
# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.57 2008-02-02 22:57:54 rajo Exp $ |
# |
# |
# Changelog: |
# Changelog: |
# 2003-10-24 - created |
# 2003-10-24 - created |
Riadok 73 RMMOD="${RMMOD:=/sbin/rmmod}" |
|
Riadok 73 RMMOD="${RMMOD:=/sbin/rmmod}" |
|
AWK="${AWK:=/usr/bin/awk}" |
AWK="${AWK:=/usr/bin/awk}" |
PERL="${PERL:=/usr/bin/perl}" |
PERL="${PERL:=/usr/bin/perl}" |
|
|
|
# shaping |
|
TC="${TC:=/sbin/tc}" |
|
|
# loopback interface |
# loopback interface |
LO_IFACE="${LO_IFACE:=lo}" |
LO_IFACE="${LO_IFACE:=lo}" |
# Hide NAT clients behind firewall |
# Hide NAT clients behind firewall |
Riadok 986 accept_loopback() |
|
Riadok 989 accept_loopback() |
|
|
|
} # }}} |
} # }}} |
|
|
|
# |
|
# Shaping support {{{ |
|
# |
|
# http://koti.welho.com/ntoivol2/shaping/ |
|
# |
|
|
|
shaping_on() |
|
{ # {{{ |
|
|
|
mark_idx=1 |
|
if [ ! -z $SHAPING_IFACE ]; then |
|
for iface in $SHAPING_IFACE; do |
|
echo "Shaping for interface $iface" |
|
shaping_classes="${iface}_SHAPING_CLASSES" |
|
|
|
# root qdisc: 2-band prio with everything defaulting to band 0 |
|
$TC qdisc add dev $iface root handle 1: prio bands 2 priomap 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 |
|
|
|
for class in ${!shaping_classes}; do |
|
rate="${iface}_SHAPING_RATE_${class}" |
|
latency="${iface}_SHAPING_LATENCY_${class}" |
|
burst="${iface}_SHAPING_BURST_${class}" |
|
netmask="${iface}_SHAPING_NETMASK_${class}" |
|
echo -e "\tshaping \"$class\" traffic: rate=${!rate} burst=${!burst} netmask=${!netmask}" |
|
if [ -z ${!netmask} ]; then |
|
$IPTABLES -t mangle -A OUTPUT -j MARK --set-mark 0x$mark_idx |
|
else |
|
$IPTABLES -t mangle -A OUTPUT -d ${!netmask} -j MARK --set-mark 0x$mark_idx |
|
fi |
|
|
|
if [ -z ${!rate} ]; then |
|
# SFQ for local traffic |
|
$TC qdisc add dev $iface parent 1:$mark_idx handle $((10 + $mark_idx)): sfq perturb 10 |
|
else |
|
# TBF shaping and SFQ for internet traffic |
|
$TC qdisc add dev $iface parent 1:$mark_idx handle $((10 + $mark_idx)): tbf rate ${!rate} burst ${!burst} latency ${!latency} |
|
$TC qdisc add dev $iface parent $((10 + $mark_idx)): handle $((10 * $mark_idx)): sfq perturb 10 |
|
fi |
|
|
|
mark_idx=$(($mark_idx + 1)) |
|
done |
|
done |
|
fi |
|
|
|
} # }}} |
|
|
|
shaping_off() |
|
{ # {{{ |
|
if [ ! -z $SHAPING_IFACE ]; then |
|
echo -en "Shaping turned off for interface" |
|
for iface in $SHAPING_IFACE; do |
|
echo -en " $iface" |
|
$TC qdisc del dev $iface root 2>/dev/null |
|
done |
|
echo ". done" |
|
fi |
|
} # }}} |
|
|
|
shaping_status() |
|
{ # {{{ |
|
if [ ! -z $SHAPING_IFACE ]; then |
|
echo "# Shaping status: " |
|
$TC qdisc list |
|
else |
|
echo "# Shaping turned off" |
|
fi |
|
} # }}} |
|
|
|
# }}} |
|
|
add_banned_ip() |
add_banned_ip() |
{ # {{{ |
{ # {{{ |
echo "# `date '+%Y-%m-%d %X' ` - ${SSH_CLIENT:=local}" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
echo "# `date '+%Y-%m-%d %X' ` - ${SSH_CLIENT:=local}" >> $DEFAULT_FIREWALL_CONFIG_DIR/BANNED_IP.conf |
|
|
log_forward_drop |
log_forward_drop |
forward_on |
forward_on |
do_ip_accounting |
do_ip_accounting |
|
shaping_off |
|
shaping_on |
configure_special_rules |
configure_special_rules |
$IPTABLES_SAVE -c > $CACHE_FILE |
$IPTABLES_SAVE -c > $CACHE_FILE |
;; |
;; |
|
|
stop) |
stop) |
print_info -n "Stopping $DESC: " |
print_info -n "Stopping $DESC: " |
|
shaping_off |
set_default_policy |
set_default_policy |
remove_chains |
remove_chains |
unload_modules |
unload_modules |
|
|
status) |
status) |
print_iface_status; echo |
print_iface_status; echo |
$IPTABLES -L -nv |
$IPTABLES -L -nv |
|
shaping_status |
;; |
;; |
|
|
purge) |
purge) |