problems with bridge and ebtables...

Hello. I have this problem. I am trying to distribute multicast packets
through my linux box over the internal network. So the only way I managed to
do that, it's by using ebtables, blocking all but multicast packets on my
bridged NICs. The problem is, that the connection between computers
connected to this linux box are breaking from time to time. Here is the
example of my rc.firewall, that I am using. Tell me what I am doing wrong
and what should I change in order to meet my wishes...
Eth1 is the interface used for internal network, while eth0 is connected to
adsl modem and it's where I receive multicast from. eth0=0/0,
eth1=192.168.0.1/32, br0=0/0

************************************************** *******************************
#! /bin/sh
EXTINT=ppp0 # internet interface
INTERN=eth1 # lan interface
INTERNout=eth0 # lan interface
BRIDGE=br0
LO_IFACE=lo
LO_IP=127.0.0.1
INTERN_IP=192.168.0.1
EXTIP=193.77.101.100
IPPC1=192.168.0.11
IPPC2=192.168.0.12
IPPC3=192.168.0.13
LAN_IP_RANGE="192.168.0.0/16"
MULTICAST="224.0.0.0/4"
IPTABLES="/usr/sbin/iptables"
EBTABLES="/sbin/ebtables"
BRCTL="/usr/local/sbin/brctl"
IFCONFIG="/sbin/ifconfig"

fw_up() {
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m
state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -m limit --limit
3/second --limit-burst 3 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -m limit --limit
2/second --limit-burst 2 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -m limit --limit
20/second --limit-burst 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -m limit --limit
20/second --limit-burst 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -m limit --limit
10/second --limit-burst 10 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3000 -m limit --limit
10/second --limit-burst 10 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 49000:49300 -m limit --limit
100/second --limit-burst 100 -j allowed
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 53 -m limit --limit
20/second --limit-burst 20 -j ACCEPT
# MSN
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6901 -m limit --limit
20/second --limit-burst 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6891:6900 -m limit --limit
20/second --limit-burst 20 -j allowed
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 2001:2120 -m limit --limit
20/second --limit-burst 20 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 6801 -m limit --limit
20/second --limit-burst 20 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 6901 -m limit --limit
20/second --limit-burst 20 -j ACCEPT
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -m limit --limit
1/second --limit-burst 1 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -m limit --limit
1/second --limit-burst 1 -j ACCEPT
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -i $INTERN -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $EXTIP -j ACCEPT
$IPTABLES -A INPUT -p UDP -i $INTERN --dport 67 --sport 68 -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTINT -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $EXTINT -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $EXTINT -j icmp_packets
$IPTABLES -A INPUT -p ALL -i $BRIDGE -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -i $INTERN -o $EXTINT -j ACCEPT
$IPTABLES -A FORWARD -o $INTERN -i $EXTINT -j ACCEPT
$IPTABLES -A FORWARD -i $BRIDGE -o $BRIDGE -j ACCEPT
$IPTABLES -A FORWARD -p IGMP -i $BRIDGE -o br0 -j ACCEPT
$IPTABLES -A FORWARD -p UDP -d $MULTICAST -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $EXTIP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -j MASQUERADE
# directplay ports for pc1
$IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
2300:2400 -j DNAT --to ${IPPC1}:2300-2400
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
2300:2400 -j DNAT --to ${IPPC1}:2300-2400
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
47624 -j DNAT --to ${IPPC1}:47624
$IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
6073 -j DNAT --to ${IPPC1}:6073
# edonkey port for pc1
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
4669 -j DNAT --to ${IPPC1}:4669
$IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
4679 -j DNAT --to ${IPPC1}:4679
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
3389 -j DNAT --to ${IPPC1}:3389
# bittorrent port for pc1
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
6881:6999 -j DNAT --to ${IPPC1}:6881-6999
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
43100:43500 -j DNAT --to ${IPPC1}:43100-43500
# edonkey port for pc2
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
4662 -j DNAT --to ${IPPC2}:4662
$IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
4672 -j DNAT --to ${IPPC2}:4672
# shareaza port
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
6346 -j DNAT --to ${IPPC1}:4346
# streaming port (unused?)
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
5000 -j DNAT --to ${IPPC1}:5000
# n4s underground
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
3074 -j DNAT --to ${IPPC1}:3074
$IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
3074 -j DNAT --to ${IPPC1}:3074
# MSN
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
6891:6900 -j DNAT --to ${IPPC1}:6891-6900
$IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
6901 -j DNAT --to ${IPPC1}:6901
$IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
2001:2120 -j DNAT --to ${IPPC1}:2001-2120
$IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
6801 -j DNAT --to ${IPPC1}:6801
$IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
6901 -j DNAT --to ${IPPC1}:6901
# cyberoro
$IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
7447 -j DNAT --to ${IPPC1}:7447

# mark 2 = 160 kbit/s ppp0 (bitje - pc2)
# mark 3 = 600 kbit/s ppp0 (athlon - pc1)
# mark 5 = 160 kbit/s ppp0 (ostali)
# mark 4 = unlimited eth1 (athlon - pc1)
# mark 1 = 3000 kbit/s eth1 (bitje - pc2)
# mark 6 = 3000 kbit/s eth1 (ostali)
$IPTABLES -t mangle -A FORWARD -d ${IPPC2} -j MARK --set-mark 1 #pc2
download
$IPTABLES -t mangle -A POSTROUTING -s ${IPPC2} -j MARK --set-mark 2 #pc2
upload
$IPTABLES -t mangle -A FORWARD -d ${IPPC1} -j MARK --set-mark 4 # pc1
download
$IPTABLES -t mangle -A POSTROUTING -s ${IPPC1} -j MARK --set-mark 3 #pc1
upload
perl -e '$a=20;for(0..180){ system("iptables -t mangle -A FORWARD -d
192.168.0.$a -j MARK --set-mark 6"); system("iptables -t mangle -A
POSTROUTING -s 192.168.0.$a -j MARK --set-mark 5"); $a++;}'

# mark 7 = oznaka za diagrame
$IPTABLES -t mangle -A OUTPUT -s $EXTIP -d ! $LAN_IP_RANGE # -j
MARK --set-mark 7
$IPTABLES -t mangle -A INPUT -s ! $LAN_IP_RANGE -d $EXTIP # -j
MARK --set-mark 7
# bridganje povezav za multicast
$BRCTL addbr $BRIDGE
$BRCTL stp $BRIDGE off
$BRCTL addif $BRIDGE $INTERN
$BRCTL addif $BRIDGE $INTERNout
$IFCONFIG $INTERNout 0.0.0.0
$IFCONFIG $BRIDGE 0.0.0.0 up
$EBTABLES -t broute -P BROUTING DROP
$EBTABLES -t broute -A BROUTING -d 01:00:00:00:00:00/01:00:00:00:00:00 -j
ACCEPT
echo "Firewall up"
}
fw_down() {
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
/sbin/ifconfig $BRIDGE down
/usr/local/sbin/brctl delbr $BRIDGE
/sbin/ebtables -t broute -F BROUTING
/sbin/ebtables -t broute -P BROUTING ACCEPT
echo "Firewall down"
}
case "$1" in
'start')
fw_up
;;
'stop')
fw_down
;;
'restart')
fw_down
sleep 1
fw_up
;;
*)
fw_up
esac
************************************************** *******************************

Could it be, that bridge bridges all interfaces connected to the switch,
which is connected to eth1?
So that might cause data to travel through different route, which isn't
working?


"Damir Galiè" <(E-Mail Removed)> wrote in message
news:4BcFe.556$(E-Mail Removed)...
> Hello. I have this problem. I am trying to distribute multicast packets
> through my linux box over the internal network. So the only way I managed
> to do that, it's by using ebtables, blocking all but multicast packets on
> my bridged NICs. The problem is, that the connection between computers
> connected to this linux box are breaking from time to time. Here is the
> example of my rc.firewall, that I am using. Tell me what I am doing wrong
> and what should I change in order to meet my wishes...
> Eth1 is the interface used for internal network, while eth0 is connected
> to adsl modem and it's where I receive multicast from. eth0=0/0,
> eth1=192.168.0.1/32, br0=0/0
>
> ************************************************** *******************************
> #! /bin/sh
> EXTINT=ppp0 # internet interface
> INTERN=eth1 # lan interface
> INTERNout=eth0 # lan interface
> BRIDGE=br0
> LO_IFACE=lo
> LO_IP=127.0.0.1
> INTERN_IP=192.168.0.1
> EXTIP=193.77.101.100
> IPPC1=192.168.0.11
> IPPC2=192.168.0.12
> IPPC3=192.168.0.13
> LAN_IP_RANGE="192.168.0.0/16"
> MULTICAST="224.0.0.0/4"
> IPTABLES="/usr/sbin/iptables"
> EBTABLES="/sbin/ebtables"
> BRCTL="/usr/local/sbin/brctl"
> IFCONFIG="/sbin/ifconfig"
>
> fw_up() {
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
> $IPTABLES -N bad_tcp_packets
> $IPTABLES -N allowed
> $IPTABLES -N tcp_packets
> $IPTABLES -N udp_packets
> $IPTABLES -N icmp_packets
> $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m
> state --state NEW -j REJECT --reject-with tcp-reset
> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
> LOG --log-prefix "New not syn:"
> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
> $IPTABLES -A allowed -p TCP --syn -j ACCEPT
> $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A allowed -p TCP -j DROP
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -m limit --limit
> 3/second --limit-burst 3 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -m limit --limit
> 2/second --limit-burst 2 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -m limit --limit
> 20/second --limit-burst 20 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -m limit --limit
> 20/second --limit-burst 20 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -m limit --limit
> 10/second --limit-burst 10 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3000 -m limit --limit
> 10/second --limit-burst 10 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 49000:49300 -m
> limit --limit 100/second --limit-burst 100 -j allowed
> $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 53 -m limit --limit
> 20/second --limit-burst 20 -j ACCEPT
> # MSN
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6901 -m limit --limit
> 20/second --limit-burst 20 -j allowed
> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6891:6900 -m limit --limit
> 20/second --limit-burst 20 -j allowed
> $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 2001:2120 -m limit --limit
> 20/second --limit-burst 20 -j ACCEPT
> $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 6801 -m limit --limit
> 20/second --limit-burst 20 -j ACCEPT
> $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 6901 -m limit --limit
> 20/second --limit-burst 20 -j ACCEPT
> #
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -m limit --limit
> 1/second --limit-burst 1 -j ACCEPT
> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -m limit --limit
> 1/second --limit-burst 1 -j ACCEPT
> $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
> $IPTABLES -A INPUT -p ALL -i $INTERN -s $LAN_IP_RANGE -j ACCEPT
> $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP_RANGE -j ACCEPT
> $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
> $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $EXTIP -j ACCEPT
> $IPTABLES -A INPUT -p UDP -i $INTERN --dport 67 --sport 68 -j ACCEPT
> $IPTABLES -A INPUT -p ALL -d $EXTIP -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -p TCP -i $EXTINT -j tcp_packets
> $IPTABLES -A INPUT -p UDP -i $EXTINT -j udp_packets
> $IPTABLES -A INPUT -p ICMP -i $EXTINT -j icmp_packets
> $IPTABLES -A INPUT -p ALL -i $BRIDGE -j ACCEPT
> $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j
> LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
> $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
> $IPTABLES -A FORWARD -i $INTERN -o $EXTINT -j ACCEPT
> $IPTABLES -A FORWARD -o $INTERN -i $EXTINT -j ACCEPT
> $IPTABLES -A FORWARD -i $BRIDGE -o $BRIDGE -j ACCEPT
> $IPTABLES -A FORWARD -p IGMP -i $BRIDGE -o br0 -j ACCEPT
> $IPTABLES -A FORWARD -p UDP -d $MULTICAST -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j
> LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
> $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
> $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $LAN_IP_RANGE -j ACCEPT
> $IPTABLES -A OUTPUT -p ALL -s $EXTIP -j ACCEPT
> $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j
> LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
>
> $IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -j MASQUERADE
> # directplay ports for pc1
> $IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
> 2300:2400 -j DNAT --to ${IPPC1}:2300-2400
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 2300:2400 -j DNAT --to ${IPPC1}:2300-2400
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 47624 -j DNAT --to ${IPPC1}:47624
> $IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
> 6073 -j DNAT --to ${IPPC1}:6073
> # edonkey port for pc1
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 4669 -j DNAT --to ${IPPC1}:4669
> $IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
> 4679 -j DNAT --to ${IPPC1}:4679
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 3389 -j DNAT --to ${IPPC1}:3389
> # bittorrent port for pc1
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 6881:6999 -j DNAT --to ${IPPC1}:6881-6999
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 43100:43500 -j DNAT --to ${IPPC1}:43100-43500
> # edonkey port for pc2
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 4662 -j DNAT --to ${IPPC2}:4662
> $IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
> 4672 -j DNAT --to ${IPPC2}:4672
> # shareaza port
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 6346 -j DNAT --to ${IPPC1}:4346
> # streaming port (unused?)
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 5000 -j DNAT --to ${IPPC1}:5000
> # n4s underground
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 3074 -j DNAT --to ${IPPC1}:3074
> $IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
> 3074 -j DNAT --to ${IPPC1}:3074
> # MSN
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 6891:6900 -j DNAT --to ${IPPC1}:6891-6900
> $IPTABLES -t nat -A PREROUTING -p tcp -m tcp -i $EXTINT -d $EXTIP --dport
> 6901 -j DNAT --to ${IPPC1}:6901
> $IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
> 2001:2120 -j DNAT --to ${IPPC1}:2001-2120
> $IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
> 6801 -j DNAT --to ${IPPC1}:6801
> $IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
> 6901 -j DNAT --to ${IPPC1}:6901
> # cyberoro
> $IPTABLES -t nat -A PREROUTING -p udp -m udp -i $EXTINT -d $EXTIP --dport
> 7447 -j DNAT --to ${IPPC1}:7447
>
> # mark 2 = 160 kbit/s ppp0 (bitje - pc2)
> # mark 3 = 600 kbit/s ppp0 (athlon - pc1)
> # mark 5 = 160 kbit/s ppp0 (ostali)
> # mark 4 = unlimited eth1 (athlon - pc1)
> # mark 1 = 3000 kbit/s eth1 (bitje - pc2)
> # mark 6 = 3000 kbit/s eth1 (ostali)
> $IPTABLES -t mangle -A FORWARD -d ${IPPC2} -j MARK --set-mark 1 #pc2
> download
> $IPTABLES -t mangle -A POSTROUTING -s ${IPPC2} -j MARK --set-mark 2 #pc2
> upload
> $IPTABLES -t mangle -A FORWARD -d ${IPPC1} -j MARK --set-mark 4 # pc1
> download
> $IPTABLES -t mangle -A POSTROUTING -s ${IPPC1} -j MARK --set-mark 3 #pc1
> upload
> perl -e '$a=20;for(0..180){ system("iptables -t mangle -A FORWARD -d
> 192.168.0.$a -j MARK --set-mark 6"); system("iptables -t mangle -A
> POSTROUTING -s 192.168.0.$a -j MARK --set-mark 5"); $a++;}'
>
> # mark 7 = oznaka za diagrame
> $IPTABLES -t mangle -A OUTPUT -s $EXTIP -d ! $LAN_IP_RANGE # -j
> MARK --set-mark 7
> $IPTABLES -t mangle -A INPUT -s ! $LAN_IP_RANGE -d $EXTIP # -j
> MARK --set-mark 7
> # bridganje povezav za multicast
> $BRCTL addbr $BRIDGE
> $BRCTL stp $BRIDGE off
> $BRCTL addif $BRIDGE $INTERN
> $BRCTL addif $BRIDGE $INTERNout
> $IFCONFIG $INTERNout 0.0.0.0
> $IFCONFIG $BRIDGE 0.0.0.0 up
> $EBTABLES -t broute -P BROUTING DROP
> $EBTABLES -t broute -A BROUTING -d 01:00:00:00:00:00/01:00:00:00:00:00 -j
> ACCEPT
> echo "Firewall up"
> }
> fw_down() {
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -t nat -P PREROUTING ACCEPT
> $IPTABLES -t nat -P POSTROUTING ACCEPT
> $IPTABLES -t nat -P OUTPUT ACCEPT
> $IPTABLES -t mangle -P PREROUTING ACCEPT
> $IPTABLES -t mangle -P OUTPUT ACCEPT
> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -t mangle -F
> $IPTABLES -X
> $IPTABLES -t nat -X
> $IPTABLES -t mangle -X
> /sbin/ifconfig $BRIDGE down
> /usr/local/sbin/brctl delbr $BRIDGE
> /sbin/ebtables -t broute -F BROUTING
> /sbin/ebtables -t broute -P BROUTING ACCEPT
> echo "Firewall down"
> }
> case "$1" in
> 'start')
> fw_up
> ;;
> 'stop')
> fw_down
> ;;
> 'restart')
> fw_down
> sleep 1
> fw_up
> ;;
> *)
> fw_up
> esac
> ************************************************** *******************************
>
>