QoS: commentaire sur les règles pour mangle
[ongolaboy.git] / scripts / qos / regles.bacgl
CommitLineData
262ba1c5
O
1#!/bin/sh
2
20fe87b6
O
3IF_INTERNET=eth0.2
4NET_BACGL=195.24.196.112/28
5NET_DMZ_Priv=192.168.10.0/24
6NET_DMZ_Partenaire_Priv=192.168.11.0/24
7IP_VISIO_Dir=195.24.196.124
8IP_VISIO_Reu=195.24.196.125
9IP_VISIO_Form=195.24.196.126
10IP_Pub_SOGo=195.24.196.116
11IP_Pub_VOIP=195.24.196.117
12
262ba1c5
O
13
14modprobe ifb numifbs=1
15
17db1934 16ip link set up ifb0
262ba1c5
O
17
18tc qdisc add dev $IF_INTERNET ingress
19
17db1934
O
20#la version IPv6 ??
21#tc filter add dev $IF_INTERNET parent ffff: protocol ip prio 1 u32 \
22# match ip6 dst $NET6_BACGL \
23# flowid 1:1 action mirred egress redirect dev ifb0
24
262ba1c5
O
25tc filter add dev $IF_INTERNET parent ffff: protocol ip prio 1 u32 \
26 match ip dst $NET_BACGL \
27 flowid 1:1 action mirred egress redirect dev ifb0
28
29echo "Création de classes"
30echo "Création de la racine"
31
20fe87b6 32tc qdisc add dev ifb0 root handle 1: htb default 190
262ba1c5
O
33
34# premiere classe fille qui agrège tout le traffic
20fe87b6 35tc class add dev ifb0 parent 1: classid 1:1 htb rate 9882kbit ceil 10000kbit
262ba1c5
O
36
37# creation des classes enfants
38# classe VOIP
17db1934
O
39tc class add dev ifb0 parent 1:1 classid 1:11 htb rate 128kbit \
40 ceil 256kbit prio 1
262ba1c5
O
41
42#groupe des visios
20fe87b6
O
43tc class add dev ifb0 parent 1:1 classid 1:12 htb rate 3000kbit \
44 ceil 3500kbit prio 3
45
46# groupe DMZ Pub
47tc class add dev ifb0 parent 1:1 classid 1:13 htb rate 150kbit \
48 ceil 1000kbit prio 2
49
50# groupe DMZ Priv
51tc class add dev ifb0 parent 1:1 classid 1:14 htb rate 1000kbit \
52 ceil 2000kbit prio 2
262ba1c5 53
20fe87b6
O
54# groupe DMZ Partenaire Priv
55tc class add dev ifb0 parent 1:1 classid 1:15 htb rate 100kbit \
56 ceil 512kbit prio 4
57
58# groupe DMZ Partenaire Pub
59tc class add dev ifb0 parent 1:1 classid 1:16 htb rate 100kbit \
60 ceil 512kbit prio 4
61
62# sonde RIPE
63tc class add dev ifb0 parent 1:1 classid 1:16 htb rate 100kbit \
64 ceil 512kbit prio 1
262ba1c5
O
65
66# groupe PC
20fe87b6
O
67tc class add dev ifb0 parent 1:1 classid 1:20 htb rate 5304kbit \
68 ceil 9000kbit prio 4
262ba1c5 69
1a0f39c3 70#A l'interieur des PC on a les sous-classes suivantes
262ba1c5 71# groupe prof
20fe87b6 72tc class add dev ifb0 parent 1:20 classid 1:132 htb rate 768kbit \
17db1934 73 ceil 1500kbit prio 4
262ba1c5
O
74
75# groupe foad
20fe87b6
O
76tc class add dev ifb0 parent 1:20 classid 1:133 htb rate 768kbit \
77 ceil 1500kbit prio 3
262ba1c5
O
78
79# groupe cai
20fe87b6
O
80tc class add dev ifb0 parent 1:20 classid 1:131 htb rate 1000kbit \
81 ceil 4000kbit prio 3
262ba1c5
O
82
83# groupe formation
20fe87b6
O
84tc class add dev ifb0 parent 1:20 classid 1:130 htb rate 1000kbit \
85 ceil 5000kbit prio 2
262ba1c5
O
86
87# groupe nomade
20fe87b6
O
88tc class add dev ifb0 parent 1:20 classid 1:125 htb rate 768kbit \
89 ceil 3500kbit prio 4
262ba1c5
O
90
91# groupe personnel
20fe87b6
O
92tc class add dev ifb0 parent 1:20 classid 1:120 htb rate 100kbit \
93 ceil 256kbit prio 1
262ba1c5
O
94
95# groupe le reste
20fe87b6
O
96tc class add dev ifb0 parent 1:14 classid 1:190 htb rate 10kbit \
97 ceil 64kbit prio 5
262ba1c5
O
98
99
100# ordonnanceurs par classe
20fe87b6 101for id in 120 {130..133} 190 do
17db1934
O
102 tc qdisc add dev ifb0 parent 1:$id handle $id: sfq pertub 10
103done
104#tc qdisc add dev ifb0 parent 1:11 handle 11: sfq perturb 10
105#tc qdisc add dev ifb0 parent 1:12 handle 12: sfq perturb 10
262ba1c5
O
106
107# mise en place des filtres
108# VOIP
109tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
110 match ip protocol 17 0xff \
111 match ip sport 4569 0xffff flowid 1:11
1f3914b6
O
112
113tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
114 match ip protocol 17 0xff \
115 match ip dport 4569 0xffff flowid 1:11
116
262ba1c5 117# Visio
17db1934 118#mettre le masque IPvisio/28
20fe87b6
O
119tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
120 match ip src $IP_VISIO_Dir/28 flowid 1:12
121tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
122 match ip src $IP_VISIO_Reu/28 flowid 1:12
123tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
124 match ip src $IP_VISIO_Form/28 flowid 1:12
262ba1c5 125
d5dcdd3e 126# specifique à la DMZ
20fe87b6
O
127# DMZ Pub
128tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
129 match ip src $IP_Pub_SOGo/28 flowid 1:13
130
131tc filter add dev ifb0 protocol ip parent 1:0 prio 1 u32 \
132 match ip src $IP_Pub_VOIP/28 flowid 1:13
133
134# DMZ Priv
135tc filter add dev ifb0 protocol ip parent 1:0 prio 1 \
136 match ip src $NET_DMZ_Priv flowid 1:14
137
138#DMZ partenaire priv
139tc filter add dev ifb0 protocol ip parent 1:0 prio 1 \
140 match ip src $NET_DMZ_Partenaire_Priv flowid 1:15
141
142#DMZ partenaire pub .. Est-ce que ça vaut vraiment la peine ?
143
144#sonde RIPE
145tc filter add ifb0 protocol ip parent 1: prio 1 handle 35 fw flowid 1:16
146
147# salle prof
148tc filter add ifb0 protocol ip parent 1: prio 1 handle 32 fw flowid 1:132
149
150# salle foad
151tc filter add ifb0 protocol ip parent 1: prio 1 handle 33 fw flowid 1:133
152
153# salle cai
154tc filter add ifb0 protocol ip parent 1: prio 1 handle 31 fw flowid 1:131
155
156# salle formation
157tc filter add ifb0 protocol ip parent 1: prio 1 handle 20 fw flowid 1:120
262ba1c5 158
20fe87b6
O
159# réseau nomade
160tc filter add ifb0 protocol ip parent 1: prio 1 handle 25 fw flowid 1:125
262ba1c5 161
20fe87b6
O
162# réseau personnel AUF
163tc filter add ifb0 protocol ip parent 1: prio 1 handle 20 fw flowid 1:120
17db1934 164
20fe87b6 165# le reste ... bah par défaut tout ira dans la classe 1:190
17db1934 166
ea11827d
O
167#les règles iptables à mettre en place sur fw
168# un exemple avec la sonde
169# iptables -t mangle -A PREROUTING -s 192.168.35.0/24 -j MARK --set-mark 0x35
170#iptables -t mangle -A PREROUTING -s 192.168.35.0/24 -j RETURN
171#
262ba1c5 172# et ainsi de suite