Code-Link

Glider
Main
IRC
Stuff
Fortune
Fine day to throw a party. Throw him as far as you can.

This is a script that uses iptables and tc to manage the upload stream on my ADSL line, which handles about 360kbits/s up.

I had a lot of trouble getting bittorrent working - it seemed to bypass the filtering, and get prioritised above all other packets, but somehow it seems to work now. If this doesn't work, try dropping the packets going to ports 6881-6889. That should force the bt traffic to register as normal traffic and become restrictable. This has been tested on my linksys WRT54G with DD-WRT installed, and also on a normal linux router. Just set EXTIF to your external network interface, and maybe poke around with the RATEs as well. The quantum and burst values should probably be left alone. 
### Packet Shaping ###

# Don't forget to clear out iptables first

EXTIF="eth1"

MARKPRIO1="1"
MARKPRIO2="2"
MARKPRIO3="3"
MARKPRIO4="4"
MARKPRIO5="5"
MARKPRIO6="6"

# Setting priority marks

# Prio 1
# icmp
iptables -t mangle -A FORWARD -p icmp -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark $MARKPRIO1
# enemy-territory
iptables -t mangle -A FORWARD -p tcp --dport 27960 -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A OUTPUT -p tcp --dport 27960 -j MARK --set-mark $MARKPRIO1
# ntp
iptables -t mangle -A FORWARD -p tcp --dport 123 -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A OUTPUT -p tcp --dport 123 -j MARK --set-mark $MARKPRIO1
# Small ACK packets
iptables -t mangle -A FORWARD -p tcp -m length --length 0:128 --tcp-flags SYN,RST,ACK ACK -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A OUTPUT -p tcp -m length --length 0:128 --tcp-flags SYN,RST,ACK ACK -j MARK --set-mark $MARKPRIO1

# Prio 2
# ssh
iptables -t mangle -A FORWARD -p tcp --dport 22 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark $MARKPRIO2
## non tcp
iptables -t mangle -A FORWARD -p ! tcp -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A OUTPUT -p ! tcp -j MARK --set-mark $MARKPRIO2
# dns
iptables -t mangle -A FORWARD -p udp --dport 53 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A OUTPUT -p udp --dport 53 -j MARK --set-mark $MARKPRIO2
# https
iptables -t mangle -A FORWARD -p tcp --dport 443 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark $MARKPRIO2
# irc
iptables -t mangle -A FORWARD -p tcp -m multiport --dport 6667,6669,6697,9999 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A OUTPUT -p tcp -m multiport --dport 6667,6669,6697,9999 -j MARK --set-mark $MARKPRIO2

# Prio 3 - "normal"
# smtp
iptables -t mangle -A FORWARD -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark $MARKPRIO3
# http
iptables -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark $MARKPRIO3
# imap, pop3
iptables -t mangle -A FORWARD -p tcp -m multiport --dport 143,993,110 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A OUTPUT -p tcp -m multiport --dport 143,993,110 -j MARK --set-mark $MARKPRIO3
# incoming ssh
iptables -t mangle -A FORWARD -p tcp --sport 22 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A OUTPUT -p tcp --sport 22 -j MARK --set-mark $MARKPRIO3

# Prio 4
# http uploads
iptables -t mangle -A FORWARD -p tcp --sport 80 -j MARK --set-mark $MARKPRIO4
iptables -t mangle -A OUTPUT -p tcp --sport 80 -j MARK --set-mark $MARKPRIO4
# https uploads
iptables -t mangle -A FORWARD -p tcp --sport 443 -j MARK --set-mark $MARKPRIO4
iptables -t mangle -A OUTPUT -p tcp --sport 443 -j MARK --set-mark $MARKPRIO4

# Prio 5 - default/catch-all - this might catch bittorrent


# Prio 6
# bittorrent
iptables -t mangle -A FORWARD -p tcp --sport 6881:6889 -j MARK --set-mark $MARKPRIO6
iptables -t mangle -A FORWARD -p tcp --dport 6881:6889 -j MARK --set-mark $MARKPRIO6
iptables -t mangle -A FORWARD -p udp --sport 6881:6889 -j MARK --set-mark $MARKPRIO6
iptables -t mangle -A FORWARD -p udp --dport 6881:6889 -j MARK --set-mark $MARKPRIO6
#iptables -t mangle -A FORWARD -p tcp --sport 6881:6889 -j DROP
#iptables -t mangle -A FORWARD -p tcp --dport 6881:6889 -j DROP
#iptables -t mangle -A FORWARD -p udp --sport 6881:6889 -j DROP
#iptables -t mangle -A FORWARD -p udp --dport 6881:6889 -j DROP

##iptables -t mangle -A FORWARD -m layer7 --l7proto bittorrent -j MARK --set-mark $MARKPRIO6
### Other p2p
##iptables -A FORWARD -m ipp2p --ipp2p -j MARK --set-mark $MARKPRIO6

# packets > 1024 bytes
# when ports 6881-6889 are dropped, this looks like it successfully deals with bittorrent :)
iptables -t mangle -A FORWARD -p tcp -m length --length 1024: -m mark --mark 0 -j MARK --set-mark $MARKPRIO6
iptables -t mangle -A OUTPUT -p tcp -m length --length 1024: -m mark --mark 0 -j MARK --set-mark $MARKPRIO6

# Remaining packets are marked according to TOS
iptables -t mangle -A FORWARD -p tcp -m tos --tos Normal-Service -m mark --mark 0 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Delay -m mark --mark 0 -j MARK --set-mark $MARKPRIO1
iptables -t mangle -A FORWARD -p tcp -m tos --tos Maximize-Throughput -m mark --mark 0 -j MARK --set-mark $MARKPRIO3
iptables -t mangle -A FORWARD -p tcp -m tos --tos Maximize-Reliability -m mark --mark 0 -j MARK --set-mark $MARKPRIO2
iptables -t mangle -A FORWARD -p tcp -m tos --tos Minimize-Cost -m mark --mark 0 -j MARK --set-mark $MARKPRIO6

# Rates
UPRATE="355kbit"
P2PRATE=$UPRATE
#P2PRATE="128kbit"
PRIORATE1="128kbit"
PRIORATE2="128kbit"
PRIORATE3="32kbit"
PRIORATE4="12kbit"
PRIORATE5="12kbit"
PRIORATE6="12kbit"

# Quantum
QUANTUM1="12187"
QUANTUM2="8625"
QUANTUM3="5062"
QUANTUM4="3000"
QUANTUM5="1500"
QUANTUM6="1500"

# Burst
BURST1="6k"
BURST2="4k"
BURST3="2k"
BURST4="1k"
BURST5="0k"
BURST6="0k"
CBURST1="3k"
CBURST2="2k"
CBURST3="1k"
CBURST4="0k"
CBURST5="0k"
CBURST6="0k"

# Set queue length for $EXTIF
ifconfig $EXTIF txqueuelen 16

# Specify queue discipline
tc qdisc add dev $EXTIF root handle 1:0 htb default 105 r2q 1

# Set root class
tc class add dev $EXTIF parent 1:0 classid 1:1 htb rate $UPRATE burst $BURST1 cburst $CBURST1
# Specify sub classes
tc class add dev $EXTIF parent 1:1 classid 1:101 htb rate $PRIORATE1 ceil $UPRATE quantum $QUANTUM1 burst $BURST1 cburst $CBURST1 prio 1
tc class add dev $EXTIF parent 1:1 classid 1:102 htb rate $PRIORATE2 ceil $UPRATE quantum $QUANTUM2 burst $BURST2 cburst $CBURST2 prio 2
tc class add dev $EXTIF parent 1:1 classid 1:103 htb rate $PRIORATE3 ceil $UPRATE quantum $QUANTUM3 burst $BURST3 cburst $CBURST3 prio 3
tc class add dev $EXTIF parent 1:1 classid 1:104 htb rate $PRIORATE4 ceil $UPRATE quantum $QUANTUM4 burst $BURST4 cburst $CBURST4 prio 4
tc class add dev $EXTIF parent 1:1 classid 1:105 htb rate $PRIORATE5 ceil $UPRATE quantum $QUANTUM5 burst $BURST5 cburst $CBURST5 prio 5
tc class add dev $EXTIF parent 1:1 classid 1:106 htb rate $PRIORATE6 ceil $P2PRATE quantum $QUANTUM6 burst $BURST6 cburst $CBURST6 prio 6

# Filter packets
tc filter add dev $EXTIF parent 1:0 protocol ip prio 1 handle $MARKPRIO1 fw classid 1:101
tc filter add dev $EXTIF parent 1:0 protocol ip prio 2 handle $MARKPRIO2 fw classid 1:102
tc filter add dev $EXTIF parent 1:0 protocol ip prio 3 handle $MARKPRIO3 fw classid 1:103
tc filter add dev $EXTIF parent 1:0 protocol ip prio 4 handle $MARKPRIO4 fw classid 1:104
tc filter add dev $EXTIF parent 1:0 protocol ip prio 5 handle $MARKPRIO5 fw classid 1:105
tc filter add dev $EXTIF parent 1:0 protocol ip prio 6 handle $MARKPRIO6 fw classid 1:106

# Add queuing disciplines
tc qdisc add dev $EXTIF parent 1:101 sfq perturb 16 quantum $QUANTUM1
tc qdisc add dev $EXTIF parent 1:102 sfq perturb 16 quantum $QUANTUM2
tc qdisc add dev $EXTIF parent 1:103 sfq perturb 16 quantum $QUANTUM3
tc qdisc add dev $EXTIF parent 1:104 sfq perturb 16 quantum $QUANTUM4
tc qdisc add dev $EXTIF parent 1:105 sfq perturb 16 quantum $QUANTUM5
tc qdisc add dev $EXTIF parent 1:106 sfq perturb 16 quantum $QUANTUM6
### End Packet Shaping ###