LINUX环境下Iprouter2 + iptables + tc 双线策略路由(2)

tc qdisc add dev eth2 root handle 2: htb default 15
tc qdisc add dev eth0 root handle 3: htb default 15
tc class add dev eth1 parent 1:   classid 1:1   htb rate 75Mbit ceil 75Mbit
tc class add dev eth2 parent 2:   classid 2:1   htb rate 75Mbit ceil 75Mbit
tc class add dev eth0 parent 3:   classid 3:1   htb rate 85Mbit ceil 85Mbit
tc class add dev eth1 parent 1:1 classid 1:11 htb rate 30Mbit ceil 30Mbit prio 0
tc class add dev eth2 parent 2:1 classid 2:11 htb rate 30Mbit ceil 30Mbit prio 0
tc class add dev eth0 parent 3:1 classid 3:11 htb rate 40Mbit ceil 40Mbit prio 0
tc class add dev eth1 parent 1:1 classid 1:12 htb rate 25Mbit ceil 25Mbit prio 1
tc class add dev eth2 parent 2:1 classid 2:12 htb rate 25Mbit ceil 25Mbit prio 1
tc class add dev eth0 parent 3:1 classid 3:12 htb rate 25Mbit ceil 25Mbit prio 1
tc class add dev eth1 parent 1:1 classid 1:15 htb rate 20Mbit ceil 20Mbit prio 2
tc class add dev eth2 parent 2:1 classid 2:15 htb rate 20Mbit ceil 20Mbit prio 2
tc class add dev eth0 parent 3:1 classid 3:15 htb rate 20Mbit ceil 20Mbit prio 2
tc qdisc add dev eth1 parent 1:12 handle 12: sfq
tc qdisc add dev eth1 parent 1:15 handle 15: sfq
tc qdisc add dev eth2 parent 2:12 handle 12: sfq
tc qdisc add dev eth2 parent 2:15 handle 15: sfq
tc qdisc add dev eth0 parent 3:12 handle 12: sfq
tc qdisc add dev eth0 parent 3:15 handle 15: sfq
tc filter add dev eth1 parent 1:0 protocol ip prio 1 handle 1 fw classid 1:11
tc filter add dev eth2 parent 2:0 protocol ip prio 1 handle 1 fw classid 2:11
tc filter add dev eth0 parent 3:0 protocol ip prio 1 handle 1 fw classid 3:11
tc filter add dev eth1 parent 1:0 protocol ip prio 2 handle 2 fw classid 1:12
tc filter add dev eth2 parent 2:0 protocol ip prio 2 handle 2 fw classid 2:12
tc filter add dev eth0 parent 3:0 protocol ip prio 2 handle 2 fw classid 3:12
tc filter add dev eth1 parent 1:0 protocol ip prio 5 handle 5 fw classid 1:15
tc filter add dev eth2 parent 2:0 protocol ip prio 5 handle 5 fw classid 2:15
tc filter add dev eth0 parent 3:0 protocol ip prio 5 handle 5 fw classid 3:15
tc qdisc add dev eth1 handle ffff: ingress
tc qdisc add dev eth2 handle ffff: ingress
tc filter add dev eth1 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 85Mbit burst 15k drop flowid :1
tc filter add dev eth2 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate 85Mbit burst 15k drop flowid :1
iptables -F -t mangle
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -m tos --tos Minimize-Delay -j RETURN
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 0x1
iptables -t mangle -I PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p icmp -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 22 -j RETURN
iptables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p udp -m udp --dport 53 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m multiport --port 6299,39311,10001,13000,29000,6299,28088,7000,7100,30810,6020,40041,54321,5858 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m multiport --port 6299,39311,10001,13000,29000,6299,28088,7000,7100,30810,6020,40041,54321,5858 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m length --length :500 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -p tcp -m length --length :500 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 443 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 443 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8080 -j RETURN
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 8080 -j MARK --set-mark 0x2
iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 8080 -j RETURN
iptables -t mangle -A PREROUTING -j MARK --set-mark 0x5

10.  防火墙脚本如下(存放位置:/etc/fire)

#/bin/sh
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#Allow SSH connection
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#IGMP
iptables -A INPUT -p ICMP -d 218.28.1.0/24 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p ICMP -d 222.88.1.0/24 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -p ICMP -d 192.168.0.0/22 -m limit --limit 1/s --limit-burst 10 -j ACCEPT
iptables -A INPUT -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT

#synfoold

iptables -N synfoold
iptables -A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -j synfoold

iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
iptables -A syn-flood -j REJECT

#NAT
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/22 -o eth2 -j MASQUERADE

11. 最后rc.local脚本如下:
#!/bin/sh
touch /var/lock/subsys/local
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
/etc/cncroute
/etc/fire
arp -f
/etc/tc
#注:5 ,6 ,7 三步合并为/etc/cncroute 脚本