CCCHH/easterhegg-2005-website
0
0
Fork 0
Code Pull requests Activity

import from old webserver

Browse source
This commit is contained in:
Jannik Beyerstedt 2024-01-27 15:10:12 +01:00
commit ef633b2cf4
182 changed files with 69233 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

352
noc/scripts/chaosvpn-client.pl Executable file
View file

@ -0,0 +1,352 @@
#!/usr/bin/perl
# 0.05 20040220 haegar@ccc.de
# - pfad zu /sbin/ip in eine Variable auslagern
#
# 0.04 20031203 haegar@ccc.de
# - config in ein externes configfile ausgelagert
# - abschiessen eines schon laufenden chaosvpn-daemons umgebaut,
# da der normale weg nicht immer funktioniert
#
# 0.03 20031202 haegar@ccc.de
# - debug-logging per default an, damit man mehr sieht
# - unbenutzte config-variablen als solche kommentiert
#
# 0.02 20031020 haegar@ccc.de
# - peer-excludes funktionierten nicht
#
# v0.01 20031019 haegar@ccc.de
# - first revision
# JA, ICH WEISS HIER FEHLT NOCH VIEL UND ES IST AN DIVERSEN STELLEN
# EXTREM DRECKIG RUNTERGEHACKT ;)
use strict;
use LWP::UserAgent;
use HTTP::Request;
use CGI;
use Data::Dumper;
my $config = "/etc/tinc/chaosvpn.conf";
# config-vars:
use vars qw(
$my_peerid $my_vpn_ip $my_vpn_netmask $my_vpn_ip6
@exclude
$my_password $my_ip $my_external_ip
$networkname $tincd_bin $ifconfig $ifconfig6 $ip_bin
$master_url $base $pidfile $tincd_debuglevel
);
# defaults:
$my_peerid = "undef";
$my_vpn_ip = "";
$my_vpn_netmask = "255.255.255.255";
$my_vpn_ip6 = "";
$my_password = ""; # unused
$my_ip = ""; # unused for now
$my_external_ip = ""; # unused
@exclude = (); # links zu gewissen peer-ids nicht aufbauen
# ============================================================================
# you should'nt need to change anything below,
# at least not for linux and chaosvpn
$networkname = "chaos";
$tincd_bin = "/usr/sbin/tincd";
$ip_bin = "/sbin/ip";
$ifconfig = "/sbin/ifconfig \$INTERFACE $my_vpn_ip netmask $my_vpn_netmask";
$ifconfig6 = "$ip_bin addr add $my_vpn_ip6/128 dev \$INTERFACE";
$master_url = "https://www.vpn.hamburg.ccc.de/tinc-chaosvpn.txt";
$base = "/etc/tinc/$networkname";
$pidfile = "/var/run/tinc.$networkname.pid";
$tincd_debuglevel = 3;
# config einlesen
require $config;
if (!-e "/dev/net/tun") {
warn "/dev/net/tun missing - creating it";
system("mkdir", "-p", "/dev/net") && die;
system("mknod", "-m", "0600", "/dev/net/tun", "c", "10", "200") && die;
}
my $answer = call_out_to_server();
my $peers;
if ($answer) {
#print $answer;
$peers = parse_server_answer($answer);
#print Dumper($peers);
} else {
#die "we lost";
}
if ($peers) {
# wir haben eine neue config bekommen
eval {
create_config($peers);
};
if ($@) {
warn $@;
}
}
# alten daemon beenden
if (-e $pidfile) {
# get pid
open(PIDFILE, "<$pidfile") || die "read error on pidfile $pidfile\n";
my $pid = <PIDFILE>;
chomp $pid;
close(PIDFILE);
if (($pid =~ /^\d+$/) && (kill(0, $pid))) {
# prozess existiert, abschiessen
kill "TERM", $pid;
my $c;
for ($c = 0; $c < 20; $c++) {
# wir wollen nicht laenger als unbedingt
# noetig warten, aber max 2sek
select(undef, undef, undef, 0.1); # sleep 100ms
last unless kill(0, $pid);
}
if ($c >= 20) {
# existiert noch immer, do it the hard way
# ist noetig wenn der tincd vorher probleme mit
# seiner config hatte, dann reicht ein SIGTERM
# nicht aus
kill "KILL", $pid;
select(undef, undef, undef, 0.1); # sleep 100ms
}
if (kill(0, $pid)) {
# immer noch? da iss was fischig
die "can't kill old tincd with pid $pid\n";
}
}
} else {
# try it the old fashioned way, may not work
system($tincd_bin, "-n", $networkname, "-k") || sleep 1;
}
# neuen daemon starten
system($tincd_bin, "-n", $networkname, "--debug", $tincd_debuglevel) && die;
exit(0);
sub call_out_to_server
{
my $ua = new LWP::UserAgent;
$ua->agent("ChaosVPNclient/0.1");
my $params = "id=" . CGI::escape($my_peerid) .
"&password=" . CGI::escape($my_password) .
"&ip=" . CGI::escape($my_ip);
#my $req = HTTP::Request->new(POST => $master_url);
#$req->content_type("application/x-www-form-urlencoded");
#$req->content($params);
# testmode:
my $req = HTTP::Request->new(GET => "$master_url?$params");
my $res = $ua->request($req);
if ($res->is_success) {
my $answer = $res->content;
return $answer;
} else {
#print Dumper($res);
warn "Warning: " . $res->status_line() . "\n";
return undef;
}
}
sub parse_server_answer($)
{
my ($answer) = @_;
my $peers = {};
my $current_peer = undef;
my $peer = {};
my $in_key = 0;
foreach (split(/\n/, $answer)) {
#print "debug: $_\n";
s/\#.*$//;
if (/^\s*\[(.*?)\]\s*$/) {
if ($current_peer) {
$peers->{$current_peer} = $peer;
}
$peer = {
"use-tcp-only" => 0,
"hidden" => 0,
"silent" => 0,
"port" => 655,
};
$current_peer = $1;
$current_peer = undef unless ($current_peer =~ /^[a-z0-9]+$/);
$in_key = 0;
} elsif ($current_peer) {
if ($in_key) {
$peer->{pubkey} .= $_;
$peer->{pubkey} .= "\n";
$in_key = 0
if (/^-----END RSA PUBLIC KEY-----/);
} elsif (/^\s*gatewayhost=(.*)$\s*/i) {
$peer->{gatewayhost} = $1;
} elsif (/^\s*owner=(.*)$\s*/i) {
$peer->{owner} = $1;
} elsif (/^\s*use-tcp-only=(.*)$\s*/i) {
$peer->{"use-tcp-only"} = $1;
} elsif (/^\s*network=(.*)\s*$/i) {
push @{$peer->{networks}}, $1;
} elsif (/^\s*network6=(.*)\s*$/i) {
push @{$peer->{networks6}}, $1;
} elsif (/^\s*hidden=(.*)\s*$/i) {
$peer->{hidden} = $1;
} elsif (/^\s*silent=(.*)\s*$/i) {
$peer->{silent} = $1;
} elsif (/^\s*port=(.*)\s*$/i) {
$peer->{port} = $1;
} elsif (/^-----BEGIN RSA PUBLIC KEY-----/) {
$in_key = 1;
$peer->{pubkey} = $_ . "\n";
}
} elsif (/^\s*$/ || /^\s*\#/) {
# ignore empty lines or comments
} else {
warn "unknown line: $_\n";
}
}
# den letzten, noch offenen, peer auch in der struktur verankern
if ($current_peer) {
$peers->{$current_peer} = $peer;
}
return $peers;
}
sub create_config($)
{
my ($peers) = @_;
if (!-e "$base.first") {
system("cp", "-r", "$base", "$base.first") && die;
}
if (-e "$base.new") {
system("rm", "-r", "$base.new") && die;
}
if (-e "$base.old") {
system("rm", "-r", "$base.old") && die;
}
system("mkdir", "-p", "$base.new") && die;
system("mkdir", "-p", "$base.new/hosts") && die;
system("cp", "$base/rsa_key.priv", "$base.new/rsa_key.priv") && die;
chmod(0600, "$base.new/rsa_key.priv") || die;
system("cp", "$base/rsa_key.pub", "$base.new/rsa_key.pub") && die;
chmod(0600, "$base.new/rsa_key.pub") || die;
# base config file erzeugen
open(MAIN, ">$base.new/tinc.conf") || die "create tinc.conf failed";
print MAIN "AddressFamily=ipv4\n";
print MAIN "Device=/dev/net/tun\n";
print MAIN "Interface=${networkname}_vpn\n";
print MAIN "Mode=router\n";
print MAIN "Name=$my_peerid\n";
print MAIN "Hostnames=yes\n"; # unsure about this
open(UP, ">$base.new/tinc-up") || die "create tinc-up failed";
print UP "#!/bin/sh\n";
print UP $ifconfig, "\n" if ($my_vpn_ip);
print UP $ifconfig6, "\n" if ($my_vpn_ip6);
PEERS: foreach my $id (keys %$peers) {
my $peer = $peers->{$id};
foreach (@exclude) {
if ($id eq $_) {
print "peer: $id -- excluded\n";
next PEERS;
}
}
print "peer: $id\n", Dumper($peer);
open(PEER, ">$base.new/hosts/$id") || die "create hosts/$id failed";
print PEER "Address=$peer->{gatewayhost}\n"
if ($peer->{gatewayhost});
print PEER "Cipher=blowfish\n";
print PEER "Compression=0\n";
print PEER "Digest=sha1\n";
print PEER "IndirectData=yes\n";
print PEER "Port=$peer->{port}\n";
if ($my_vpn_ip) {
foreach (@{$peer->{networks}}) {
print PEER "Subnet=$_\n";
print UP "$ip_bin -4 route add $_ dev \$INTERFACE\n"
if ($id ne $my_peerid);
}
}
if ($my_vpn_ip6) {
foreach (@{$peer->{networks6}}) {
print PEER "Subnet=$_\n";
print UP "$ip_bin -6 route add $_ dev \$INTERFACE\n"
if ($id ne $my_peerid);
}
}
print PEER "TCPonly=", ($peer->{"use-tcp-only"} ? "yes" : "no");
print PEER "\n";
print PEER $peer->{pubkey}, "\n";
close(PEER) || die "write error hosts/$id";
if ($id ne $my_peerid) {
# den rest nur fuer die anderen hosts
if ($peer->{gatewayhost} && !$peers->{hidden} && !$peers->{$my_peerid}->{silent}) {
print MAIN "ConnectTo=$id\n";
}
if (-e "$base/hosts/$id-up") {
system("cp", "$base/hosts/$id-up", "$base.new/hosts/$id-up") && die;
}
if (-e "$base/hosts/$id-down") {
system("cp", "$base/hosts/$id-down", "$base.new/hosts/$id-down") && die;
}
}
}
close(MAIN) || die "write error tinc.conf";
close(UP) || die "write error tinc-up";
system("chmod", "0700", "$base.new/tinc-up") && die;
system("mv", "$base", "$base.old") && die;
system("mv", "$base.new", "$base") && die;
return 1;
}

419
noc/scripts/network-foo Executable file
View file

@ -0,0 +1,419 @@
#!/bin/bash
IN_RATE="4900"
OUT_RATE="460"
wlan="vlan24"
kabel="bond0"
manage="vlan42"
pppoe="vlan22"
outside="ppp0"
freifunk="vlan23"
imq_in="imq0"
#imq_out="imq1"
imq_out="ppp0"
#IPTABLES="/usr/sbin/iptables"
#IP6TABLES="/usr/sbin/ip6tables"
IPTABLES="my_iptables"
IP6TABLES="my_ip6tables"
IP="/sbin/ip"
#TC="/sbin/tc"
TC="my_tc"
modules="ip_conntrack ip6_conntrack ip_nat_ftp ip_nat_irc ip_nat_tftp"
# helper functions
my_iptables() {
#echo "iptables $@"
/usr/sbin/iptables "$@" || echo "failed: iptables $@"
}
my_ip6tables() {
#echo "ip6tables $@"
/usr/sbin/ip6tables "$@" || echo "failed: ip6tables $@"
}
my_tc() {
/sbin/tc "$@" || echo "failed: tc $@"
}
DROP() {
local chain="$1"
shift
$IPTABLES -A "$chain" $@ -m limit --limit 3/s -j LOG --log-prefix "$chain "
$IPTABLES -A "$chain" $@ -j DROP
}
ACCEPT() {
local chain="$1"
shift
$IPTABLES -A "$chain" $@ -j ACCEPT
}
RETURN() {
local chain="$1"
shift
$IPTABLES -A "$chain" $@ -j RETURN
}
DROP6() {
local chain="$1"
shift
$IP6TABLES -A "$chain" $@ -j LOG --log-prefix "$chain "
$IP6TABLES -A "$chain" $@ -j DROP
}
ACCEPT6() {
local chain="$1"
shift
$IP6TABLES -A "$chain" $@ -j ACCEPT
}
RETURN6() {
local chain="$1"
shift
$IP6TABLES -A "$chain" $@ -j RETURN
}
# chaos-vpn restart first
echo "reload chaosvpn"
/usr/local/bin/chaosvpn-client.pl
# flush it
echo "play with iptables"
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F
$IP6TABLES -t mangle -F
$IP6TABLES -t filter -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -t filter -X
$IP6TABLES -t mangle -X
$IP6TABLES -t filter -X
# load modules
for m in $modules ; do
modprobe "$m"
done
# sysctls
echo 65535 >/proc/sys/net/ipv4/ip_conntrack_max
echo 1 >/proc/sys/net/ipv4/ip_forward
# generic imq init
/sbin/modprobe imq
$IP link set $imq_in up
$IP link set $imq_out up
# anti spoof ipv4
$IPTABLES -N antispoof
RETURN antispoof -i $freifunk -s 172.16.1.100/32 # do not look ,)
RETURN antispoof -i lo
RETURN antispoof -i ppp0
RETURN antispoof -i chaos_vpn
RETURN antispoof -i tap0
RETURN antispoof -s 0.0.0.0/32
RETURN antispoof -i bond0 -s 172.16.0.0/22
RETURN antispoof -i vlan22 -s 192.168.178.0/24
RETURN antispoof -i vlan23 -s 10.0.0.0/8
RETURN antispoof -i vlan24 -s 172.16.4.0/22
RETURN antispoof -i vlan25 -s 172.16.25.0/24
RETURN antispoof -i vlan42 -s 172.16.42.0/24
DROP antispoof
# anti spoof ipv6
$IP6TABLES -N antispoof6
RETURN6 antispoof6 -s ::/128
RETURN6 antispoof6 -i lo
RETURN6 antispoof6 -i ppp0
RETURN6 antispoof6 -i chaos_vpn
RETURN6 antispoof6 -i tap0
RETURN6 antispoof6 -i bond0 -s 2001:748:306::/64
RETURN6 antispoof6 -i vlan22 -s 2001:748:306:22::/64
RETURN6 antispoof6 -i vlan23 -s 2001:748:306:23::/64
RETURN6 antispoof6 -i vlan24 -s 2001:748:306:24::/64
RETURN6 antispoof6 -i vlan25 -s 2001:748:306:25::/64
RETURN6 antispoof6 -i vlan42 -s 2001:748:306:42::/64
RETURN6 antispoof6 -s fe80::/16
DROP6 antispoof6
# router direct filtering ipv4
$IPTABLES -A INPUT -j antispoof
ACCEPT INPUT -i lo
$IPTABLES -A INPUT -i $outside -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp --dport 135:139 -j DROP
$IPTABLES -A INPUT -p udp --dport 135:139 -j DROP
ACCEPT INPUT -m state --state ESTABLISHED,RELATED
ACCEPT INPUT -p udp --dport 53
ACCEPT INPUT -p tcp --dport 53
ACCEPT INPUT -p udp --dport 67:68
ACCEPT INPUT -p tcp --dport 80
ACCEPT INPUT -p tcp --dport 2121
#ACCEPT INPUT -p tcp --dport 40000:40999
#ACCEPT INPUT -p tcp --dport 41000:41999
ACCEPT INPUT -p tcp --dport 3128
ACCEPT INPUT -p udp --dport 123
ACCEPT INPUT -p tcp --dport 22 -i $manage
ACCEPT INPUT -p udp --dport 161 -i $manage
ACCEPT INPUT -p icmp --icmp-type echo-request
ACCEPT INPUT -p udp -i $freifunk --dport 698 # olsr
ACCEPT INPUT -p udp -i $wlan --dport 698 # olsr
ACCEPT INPUT -p udp -i $kabel --dport 698 # olsr
ACCEPT INPUT -p udp --dport 5198:5199
$IPTABLES -A INPUT -p udp --dport 192 -j DROP # we don't want to see this junk
$IPTABLES -A INPUT -p udp --dport 1900 -j DROP # we don't want to see this junk
$IPTABLES -A INPUT -i $outside -j DROP
DROP INPUT
# router direct filtering ipv6
$IP6TABLES -A INPUT -j antispoof6
ACCEPT6 INPUT -i lo
$IP6TABLES -A INPUT -i $outside -m state --state NEW -j DROP
$IP6TABLES -A INPUT -p tcp --dport 135:139 -j DROP
$IP6TABLES -A INPUT -p udp --dport 135:139 -j DROP
ACCEPT6 INPUT -m state --state ESTABLISHED,RELATED
ACCEPT6 INPUT -s 0/0 -d ff02::/16
ACCEPT6 INPUT -p udp --dport 53
ACCEPT6 INPUT -p tcp --dport 53
ACCEPT6 INPUT -p udp --dport 67:68
ACCEPT6 INPUT -p tcp --dport 80
ACCEPT6 INPUT -p tcp --dport 2121
ACCEPT6 INPUT -p tcp --dport 3128
ACCEPT6 INPUT -p udp --dport 123
ACCEPT6 INPUT -p tcp --dport 22 -i $manage
ACCEPT6 INPUT -p tcp --dport 22 -s 2001:6F8:975::/48
ACCEPT6 INPUT -p tcp --dport 22 -s 2001:6F8:94B::/48
ACCEPT6 INPUT -p tcp --dport 22 -s 2001:6f8:900:0049::2/128
ACCEPT6 INPUT -p udp --dport 161 -i $manage
ACCEPT6 INPUT -p icmpv6
ACCEPT6 INPUT -p udp -i $freifunk --dport 698 # olsr
ACCEPT6 INPUT -p udp -i $wlan --dport 698 # olsr
ACCEPT6 INPUT -p udp -i $kabel --dport 698 # olsr
$IP6TABLES -A INPUT -p udp --dport 192 -j DROP
$IP6TABLES -A INPUT -p udp --dport 1900 -j DROP
$IP6TABLES -A INPUT -i $outside -j DROP
DROP6 INPUT
# router output ipv4
ACCEPT OUTPUT -o lo
ACCEPT OUTPUT -p udp --dport 67:68
ACCEPT OUTPUT -p udp --sport 53
ACCEPT OUTPUT -p tcp --sport 53
ACCEPT OUTPUT -m state --state NEW,ESTABLISHED,RELATED
DROP OUTPUT
# router output ipv6
ACCEPT6 OUTPUT -o lo
ACCEPT6 OUTPUT -s fe80::/16
ACCEPT6 OUTPUT -d ff02::/16
ACCEPT6 OUTPUT -p udp --dport 67:68
ACCEPT6 OUTPUT -p udp --sport 53
ACCEPT6 OUTPUT -p tcp --sport 53
ACCEPT6 OUTPUT -p icmpv6
ACCEPT6 OUTPUT -m state --state NEW,ESTABLISHED,RELATED
DROP6 OUTPUT
# p2pblock
$IPTABLES -N p2pblock
DROP p2pblock -m mark --mark 2342
# - no drop, we use shaping now
#DROP p2pblock -p tcp --dport 5025
#DROP p2pblock -p tcp --dport 6346
#DROP p2pblock -p tcp --dport 6347
#DROP p2pblock -p udp --dport 6346
#DROP p2pblock -p udp --dport 6347
#DROP p2pblock -p tcp --dport 4660:4669
#DROP p2pblock -p udp --dport 4660:4669
#DROP p2pblock -p tcp --sport 4660:4669
#DROP p2pblock -p udp --sport 4660:4669
#DROP p2pblock -p tcp --dport 1214
#DROP p2pblock -p udp --dport 1214
#DROP p2pblock -p tcp --sport 1214
#DROP p2pblock -p udp --sport 1214
#DROP p2pblock -p tcp --dport 1234
#DROP p2pblock -p tcp --dport 5498
#DROP p2pblock -p tcp --dport 5499
#DROP p2pblock -p tcp --dport 5500
#DROP p2pblock -p tcp --dport 5501
#DROP p2pblock -p tcp --dport 6699
DROP p2pblock -d 64.245.58.0/24
DROP p2pblock -d 64.245.59.0/24
DROP p2pblock -d 216.35.208.0/24
DROP p2pblock -d 209.25.178.0/24
DROP p2pblock -d 209.61.186.0/24
DROP p2pblock -d 64.49.201.0/24
RETURN p2pblock
# forwarding ipv4
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -A FORWARD -j antispoof
$IPTABLES -A FORWARD -i $outside -j p2pblock
$IPTABLES -A FORWARD -o $outside -j p2pblock
ACCEPT FORWARD -o $manage -d 172.16.42.3/32 -p tcp --dport 80 -m state --state NEW
DROP FORWARD -o $manage -m state --state NEW
ACCEPT FORWARD -i $manage -o $pppoe -m state --state NEW
DROP FORWARD -o $pppoe -m state --state NEW
ACCEPT FORWARD
# forwarding ipv6
$IP6TABLES -A FORWARD -j antispoof6
ACCEPT6 FORWARD -o $manage -d 2001:748:306:42::2/128 -p tcp --dport 80 -m state --state NEW
DROP6 FORWARD -o $manage -m state --state NEW
ACCEPT6 FORWARD -i $manage -o $pppoe -m state --state NEW
DROP6 FORWARD -o $pppoe -m state --state NEW
ACCEPT6 FORWARD
# enable nat
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d 172.16.0.0/12 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d 10.0.0.0/8 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d 192.168.0.0/8 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d 127.0.0.0/8 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $wlan -p tcp --dport 80 -j REDIRECT --to-port 80
$IPTABLES -t nat -A PREROUTING -i $kabel -p tcp --dport 80 -j REDIRECT --to-port 80
$IPTABLES -t nat -A PREROUTING -i $freifunk -p tcp --dport 80 -j REDIRECT --to-port 80
$IPTABLES -t nat -A PREROUTING -i $wlan -p tcp --dport 80 -j REDIRECT --to-port 80
$IPTABLES -t nat -A PREROUTING -i $manage -p tcp --dport 80 -j REDIRECT --to-port 80
$IPTABLES -t nat -A PREROUTING -i $outside -p udp --dport 5198:5199 -j DNAT --to-destination 172.16.25.99
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 21 -d 172.16.0.0/12 -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 21 -d 10.0.0.0/8 -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 21 -d 192.168.0.0/8 -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 21 -d 127.0.0.0/8 -j ACCEPT
#$IPTABLES -t nat -A PREROUTING -i $wlan -p tcp --dport 21 -j REDIRECT --to-port 2121
#$IPTABLES -t nat -A PREROUTING -i $kabel -p tcp --dport 21 -j REDIRECT --to-port 2121
#$IPTABLES -t nat -A PREROUTING -i $freifunk -p tcp --dport 21 -j REDIRECT --to-port 2121
#$IPTABLES -t nat -A PREROUTING -i $wlan -p tcp --dport 21 -j REDIRECT --to-port 2121
#$IPTABLES -t nat -A PREROUTING -i $manage -p tcp --dport 21 -j REDIRECT --to-port 2121
$IPTABLES -t nat -A POSTROUTING -o $outside -j MASQUERADE
# marks for p2p
$IPTABLES -t mangle -N p2pblock
$IPTABLES -t mangle -A p2pblock -m mark --mark 2342 -j RETURN # already classified as p2p
$IPTABLES -t mangle -A p2pblock -m ipp2p --ipp2p -j MARK --set-mark 2342
$IPTABLES -t mangle -A p2pblock -o $outside -p tcp --dport 6881 -j MARK --set-mark 2342
$IPTABLES -t mangle -A p2pblock -i $outside -p tcp --sport 6881 -j MARK --set-mark 2342
$IPTABLES -t mangle -A p2pblock -j RETURN
# set marks for shaping
# generic rules first, specific later
$IPTABLES -t mangle -N shaping
#$IPTABLES -t mangle -A shaping -m mark \! --mark 0 -j RETURN # already classified
$IPTABLES -t mangle -A shaping -m mark --mark 2342 -j RETURN # already classified
$IPTABLES -t mangle -A shaping -s 194.97.108.53/32 -j MARK --set-mark 15
$IPTABLES -t mangle -A shaping -s 194.97.108.53/32 -j RETURN
$IPTABLES -t mangle -A shaping -d 194.97.108.53/32 -j MARK --set-mark 15
$IPTABLES -t mangle -A shaping -d 194.97.108.53/32 -j RETURN
#icmp
$IPTABLES -t mangle -A shaping -p icmp -j MARK --set-mark 12
$IPTABLES -t mangle -A shaping -p icmp --icmp-type echo-request -j MARK --set-mark 13
$IPTABLES -t mangle -A shaping -p icmp --icmp-type echo-reply -j MARK --set-mark 13
$IPTABLES -t mangle -A shaping -p icmp -j RETURN # icmp done
# tcp
$IPTABLES -t mangle -A shaping -p tcp -j MARK --set-mark 10
$IPTABLES -t mangle -A shaping -p tcp --dport 6667:6669 -j MARK --set-mark 14 # normal 14
$IPTABLES -t mangle -A shaping -p tcp --sport 6667:6669 -j MARK --set-mark 14 # normal 14
for m in 21 22 53 80 119 443 ; do
$IPTABLES -t mangle -A shaping -p tcp --dport $m -j MARK --set-mark $m
$IPTABLES -t mangle -A shaping -p tcp --sport $m -j MARK --set-mark $m
done
$IPTABLES -t mangle -A shaping -p tcp -m helper --helper ftp -j MARK --set-mark 21
$IPTABLES -t mangle -A shaping -p tcp -m length --length 1:150 -j MARK --set-mark 16
$IPTABLES -t mangle -A shaping -p tcp --dport 22 -m tos --tos Minimize-Delay -m length --length 0:256 -j MARK --set-mark 14
$IPTABLES -t mangle -A shaping -p tcp --sport 22 -m tos --tos Minimize-Delay -m length --length 0:256 -j MARK --set-mark 14
$IPTABLES -t mangle -A shaping -p tcp -j RETURN
# misc protocols
$IPTABLES -t mangle -A shaping -p 47 -j MARK --set-mark 11 # gre / pptp
$IPTABLES -t mangle -A shaping -p 50 -j MARK --set-mark 11 # ipsec esp
$IPTABLES -t mangle -A shaping -p 51 -j MARK --set-mark 11 # ipsec ah
# udp
$IPTABLES -t mangle -A shaping -p udp -j MARK --set-mark 11
for m in 53 ; do
$IPTABLES -t mangle -A shaping -p udp --dport $m -j MARK --set-mark $m
$IPTABLES -t mangle -A shaping -p udp --sport $m -j MARK --set-mark $m
done
$IPTABLES -t mangle -A shaping -p udp -j RETURN
# leftovers
$IPTABLES -t mangle -A shaping -j MARK --set-mark 42
$IPTABLES -t mangle -A shaping -j RETURN
# generic mangle
$IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark
$IPTABLES -t mangle -A PREROUTING -j p2pblock
$IPTABLES -t mangle -A PREROUTING -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -i $outside -j IMQ --todev 0
$IPTABLES -t mangle -A FORWARD -j CONNMARK --restore-mark
$IPTABLES -t mangle -A FORWARD -i $outside -j shaping
$IPTABLES -t mangle -A FORWARD -o $outside -j shaping
$IPTABLES -t mangle -A FORWARD -j CONNMARK --save-mark
$IPTABLES -t mangle -A INPUT -j CONNMARK --restore-mark
$IPTABLES -t mangle -A INPUT -i $outside -j shaping
$IPTABLES -t mangle -A INPUT -j CONNMARK --save-mark
$IPTABLES -t mangle -A OUTPUT -j CONNMARK --restore-mark
$IPTABLES -t mangle -A OUTPUT -o $outside -j shaping
$IPTABLES -t mangle -A OUTPUT -j CONNMARK --save-mark
$IPTABLES -t mangle -A POSTROUTING -j CONNMARK --restore-mark
#$IPTABLES -t mangle -A POSTROUTING -o $outside -j IMQ --todev 1
# INPUT SHAPING QUEUES
$TC qdisc del dev $imq_in root
$TC qdisc add dev $imq_in root handle 1: htb default 42
$TC class add dev $imq_in parent 1: classid 1:1 htb rate "${IN_RATE}Kbit" quantum 1500
$TC class add dev $imq_in parent 1:1 classid 1:42 htb rate 64kbit ceil 256kbit quantum 1500 prio 6
$TC class add dev $imq_in parent 1:1 classid 1:2342 htb rate 8kbit ceil 8kbit quantum 1500 prio 20
$TC class add dev $imq_in parent 1:1 classid 1:10 htb rate 500kbit ceil 2000kbit quantum 1500 prio 6
$TC class add dev $imq_in parent 1:1 classid 1:11 htb rate 500kbit ceil 2000kbit quantum 1500 prio 6
$TC class add dev $imq_in parent 1:1 classid 1:12 htb rate 32kbit ceil 128kbit quantum 1500 prio 5
$TC class add dev $imq_in parent 1:1 classid 1:13 htb rate 32kbit ceil 128kbit quantum 1500 prio 4
$TC class add dev $imq_in parent 1:1 classid 1:14 htb rate 512kbit ceil 4000kbit quantum 1500 prio 3
$TC class add dev $imq_in parent 1:1 classid 1:15 htb rate 1024kbit ceil 4000kbit quantum 1500 prio 3
$TC class add dev $imq_in parent 1:1 classid 1:16 htb rate 512kbit ceil 4000kbit quantum 1500 prio 4
$TC class add dev $imq_in parent 1:1 classid 1:21 htb rate 512kbit ceil 4000kbit quantum 1500 prio 7
$TC class add dev $imq_in parent 1:1 classid 1:22 htb rate 512kbit ceil 4000kbit quantum 1500 prio 5
$TC class add dev $imq_in parent 1:1 classid 1:53 htb rate 64kbit ceil 512kbit quantum 1500 prio 0
$TC class add dev $imq_in parent 1:1 classid 1:80 htb rate 1000kbit ceil 4000kbit quantum 1500 prio 6
$TC class add dev $imq_in parent 1:1 classid 1:119 htb rate 32kbit ceil 64kbit quantum 1500 prio 20
$TC class add dev $imq_in parent 1:1 classid 1:443 htb rate 1000kbit ceil 4000kbit quantum 1500 prio 5
for c in 42 2342 10 11 12 13 14 15 16 21 22 53 80 119 443 ; do
# sfq fuer alle
$TC qdisc add dev $imq_in parent 1:$c handle $c: sfq perturb 10
# filter by fwmark
$TC filter add dev $imq_in parent 1:0 prio 0 protocol ip handle $c fw flowid 1:$c
done
# OUTPUT SHAPING QUEUES
$TC qdisc del dev $imq_out root
$TC qdisc add dev $imq_out root handle 1: htb default 42
$TC class add dev $imq_out parent 1: classid 1:1 htb rate "${OUT_RATE}Kbit" #quantum 1500
$TC class add dev $imq_out parent 1:1 classid 1:42 htb rate 6kbit ceil 64kbit #quantum 1500 prio 6
$TC class add dev $imq_out parent 1:1 classid 1:2342 htb rate 1kbit ceil 1kbit #quantum 1500 prio 20
$TC class add dev $imq_out parent 1:1 classid 1:10 htb rate 50kbit ceil 200kbit #quantum 1500 prio 6
$TC class add dev $imq_out parent 1:1 classid 1:11 htb rate 50kbit ceil 200kbit #quantum 1500 prio 6
$TC class add dev $imq_out parent 1:1 classid 1:12 htb rate 32kbit ceil 128kbit #quantum 1500 prio 5
$TC class add dev $imq_out parent 1:1 classid 1:13 htb rate 32kbit ceil 128kbit #quantum 1500 prio 3
$TC class add dev $imq_out parent 1:1 classid 1:14 htb rate 76kbit ceil 300kbit #quantum 1500 prio 4
$TC class add dev $imq_out parent 1:1 classid 1:15 htb rate 76kbit ceil 300kbit #quantum 1500 prio 4
$TC class add dev $imq_out parent 1:1 classid 1:16 htb rate 76kbit ceil 300kbit #quantum 1500 prio 4
$TC class add dev $imq_out parent 1:1 classid 1:21 htb rate 76kbit ceil 300kbit #quantum 1500 prio 7
$TC class add dev $imq_out parent 1:1 classid 1:22 htb rate 32kbit ceil 300kbit #quantum 1500 prio 5
$TC class add dev $imq_out parent 1:1 classid 1:53 htb rate 64kbit ceil 52kbit #quantum 1500 prio 0
$TC class add dev $imq_out parent 1:1 classid 1:80 htb rate 64kbit ceil 300kbit #quantum 1500 prio 6
$TC class add dev $imq_out parent 1:1 classid 1:119 htb rate 32kbit ceil 64kbit #quantum 1500 prio 20
$TC class add dev $imq_out parent 1:1 classid 1:443 htb rate 10kbit ceil 300kbit #quantum 1500 prio 5
for c in 42 2342 10 11 12 13 14 15 16 21 22 53 80 119 443 ; do
# sfq fuer alle
$TC qdisc add dev $imq_out parent 1:$c handle $c: sfq perturb 10
# filter by fwmark
$TC filter add dev $imq_out parent 1:0 prio 0 protocol ip handle $c fw flowid 1:$c
done
echo "switching pppd to realtime..."
/usr/bin/chrt --rr -p 99 `cat /var/run/ppp0.pid`
echo "done."
echo "switching pppoe to realtime..."
/usr/bin/chrt --rr -p 99 `ps auxw| grep pppoe | awk '{print $2}'|head -n 1`
echo "done."
#echo "starting Wondershaper..."
#/etc/init.d/wshaper
#echo "done starting Wondershaper..:"
# KILL WONDERSHAPER LEFTOVERS
#$TC qdisc del dev $outside root >/dev/null 2>&1
$TC qdisc del dev imq1 root >/dev/null 2>&1
exit 0