Re: [Astlinux-devel] Traffic Shaping on backup connection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Michael,
  My scripts are below.  I put this in the firewall custom-rules script.

Now... if your WAN failover is a wireguard tunnel then be aware that if you
are stopping/starting wireguard then the rate limits will need to get setup
again... I do this in the wireguard.script file on "POST_UP" action.

#
=============================================================================
# Restore firewall marks on inbound/originating packets so that can be used
# elsewhere in the iptables firewall
echo "[CUSTOM RULE] rules to restore firewall marks"
ip4tables -t mangle -A PREROUTING -j CONNMARK --restore-mark
ip4tables -t mangle -A OUTPUT -j CONNMARK --restore-mark
ip6tables -t mangle -A PREROUTING -j CONNMARK --restore-mark
ip6tables -t mangle -A OUTPUT -j CONNMARK --restore-mark

#
=============================================================================
## Function to block devices so that they cannot access network through a
given
## interface.  And/or block traffic to/from a specific tcp/udp port number.
## >>>Call this function only once per interface
## Parameters:
##  interface (e.g. eth2)
##  MacAddrs (list of mac addresses)
##  Ports (list of ports)
## The interface local IP addresses are whitelisted
block_ports_macaddrs()
{
  local IFS=' '
  local mac
  local interface="$1"
  local macs="${2//,/ }"  # if comma delimited convert to space delimited
  local ports="$(echo $3 | tr -s ' ' ',')" # make sure comma delimited
  local chain=$(echo "FORWARD_$interface" | tr [a-z] [A-Z])  # uppercase
interface name

  iptables -N $chain 2>/dev/null
  iptables -F $chain
  iptables -A FORWARD_CHAIN -o $interface -j $chain

  grep "$interface" /proc/net/dev >/dev/null
  if [ "$?" = "0" ]; then
    local ipv4=$(ip -4 addr show $interface | grep 'inet ' | awk -F' ' '{
print $2 }')
    local ipv6ula=$(ip -6 addr show $interface | grep 'inet6 fd' | awk -F'
' '{ print $2 }')
    if [ -n "$ipv4" ]; then
      ip4tables -A $chain -d "$ipv4" -j ACCEPT
    fi
    if [ -n "$ipv6ula" ]; then
      ip6tables -A $chain -d "$ipv6ula" -j ACCEPT
    fi
  fi
  for mac in $macs; do
    echo "[CUSTOM RULE] Block MAC address $mac on interface $interface"
    iptables -A $chain -m mac --mac-source $mac -j DROP
  done
  if [ -n "$ports" ]; then
    echo "[CUSTOM RULE] Block ports $ports on interface $interface"
    iptables -A $chain -p tcp -m multiport --dports $ports -j DROP
    iptables -A $chain -p tcp -m multiport --sports $ports -j DROP
    iptables -A $chain -p udp -m multiport --dports $ports -j DROP
    iptables -A $chain -p udp -m multiport --sports $ports -j DROP
  fi
}

#
=============================================================================
## Function to prepare for rate limiting for traffic between local net and
## the WAN failover wireguard net.  Actual packet selection for rate
## limiting will take place in iptables.  This function limits only
## internal interfaces or WAN failover, not default EXTIF.
prepare_rate_limits()
{
  local interface
  local IFS=' '
  for interface in $INT_IF $EXT2IF; do
    grep "$interface" /proc/net/dev >/dev/null
    if [ "$?" = "0" ]; then
      echo "[CUSTOM RULE] Prepare $interface for rate limiting"
      tc qdisc del dev $interface root 2>/dev/null
      tc qdisc add dev $interface root handle 1: htb
      tc class add dev $interface parent 1: classid 1:1 htb rate 256Kbit
      tc class add dev $interface parent 1: classid 1:2 htb rate 512Kbit
      tc class add dev $interface parent 1: classid 1:3 htb rate 1024Kbit
      tc qdisc add dev $interface parent 1:1 handle 2: sfq perturb 10
      tc qdisc add dev $interface parent 1:2 handle 3: sfq perturb 10
      tc qdisc add dev $interface parent 1:3 handle 4: sfq perturb 10
      tc filter add dev $interface protocol ip parent 1: prio 1 handle 1 fw
flowid 1:1
      tc filter add dev $interface protocol ip parent 1: prio 1 handle 2 fw
flowid 1:2
      tc filter add dev $interface protocol ip parent 1: prio 1 handle 3 fw
flowid 1:3
    fi
  done
}

## Function to Rate limit some devices so that they cannot drive up huge
data use.
## >>>Call this function only once per interface
## This uses kernel traffic control (tc) rules set on the net interface
## Parameters:
##  interface (e.g. eth2)
##  MacAddrs (list of mac addresses)
##  LimitMarks (list of limit-marks corresponding to each mac address)
##     Mark 1: 256 Kbps, 2: 512 Kbps, 3: 1 Mbps
## Inbound packets have the packet mark restored
## Outbound packets from selected devices are marked and the packet saved
## The interface local IP addresses are whitelisted
rate_limit_macaddrs()
{
  local IFS=' '
  local mac
  local interface="$1"
  local macs="${2//,/ }"  # if comma delimited convert to space delimited
  local rate_marks="${3//,/ }" # if comma delimited convert to space
delimited
  local chain=$(echo "FORWARD_$interface" | tr [a-z] [A-Z])  # uppercase
interface name

  iptables -N $chain -t mangle 2>/dev/null
  iptables -F $chain -t mangle
  iptables -A FORWARD -t mangle -o $interface -j $chain

  grep "$interface" /proc/net/dev >/dev/null
  if [ "$?" = "0" ]; then
    local ipv4=$(ip -4 addr show $interface | grep 'inet ' | awk -F' ' '{
print $2 }')
    local ipv6ula=$(ip -6 addr show $interface | grep 'inet6 fd' | awk -F'
' '{ print $2 }')
    if [ -n "$ipv4" ]; then
      ip4tables -A $chain -t mangle -d "$ipv4" -j ACCEPT
    fi
    if [ -n "$ipv6ula" ]; then
      ip6tables -A $chain -t mangle -d "$ipv6ula" -j ACCEPT
    fi
  fi
#  iptables -A $chain -t mangle -m mark ! --mark 0 -j ACCEPT
  for mac in $macs; do
    echo "[CUSTOM RULE] Rate limit MAC address $mac on interface $interface"
    mark=${rate_marks%% *}
    rate_marks=${rate_marks#* }
    iptables -A $chain -t mangle -m mac --mac-source $mac -j MARK
--set-xmark ${mark:-1}/0x03
  done
  iptables -A $chain -t mangle -j CONNMARK --save-mark
  iptables -A $chain -t mangle -j ACCEPT
}

#
=============================================================================
## Make the calls to block / rate limit
## During WAN (Comcast Xfinity) failure all traffic will be routed through
## a WAN_FAILOVER interface.  On this system that is configured as wg0...

prepare_rate_limits
rate_limit_macaddrs \
"${WIREGUARD_IF:-wg0}" \
"52:54:00:43:1c:6e 3c:2e:ff:4e:bd:8a 8c:85:90:05:da:42 b8:e8:56:a3:67:05
f0:99:b6:4b:8c:87 00:61:71:cd:00:10 e0:33:8e:38:44:03 98:01:a7:49:1e:1c" \
"3 1 1 2 1 1 1 2"
##^ TestVM, iPhone, MacBook, iPad, iPhone Xs Max, iPhone 6, iPhone Xs, iPad

block_ports_macaddrs \
"${WIREGUARD_IF:-wg0}" \
"00:08:9B:EE:D4:0E 00:08:9B:EE:D4:0F 00:08:9B:EF:30:68 52:54:00:43:1c:6e
08:66:98:92:00:55 52:54:00:43:1c:6e 3c:2e:ff:4e:bd:8a 8c:85:90:05:da:42
b8:e8:56:a3:67:05 f0:99:b6:4b:8c:87 00:61:71:cd:00:10 e0:33:8e:38:44:03
98:01:a7:49:1e:1c" \
"4242"
##^ QNAP, QNAP, QNAP, UbuntuVM, AppleTV
##^ 4242 = crashplan ports

#
=============================================================================

On Wed, Feb 20, 2019 at 5:18 PM Michael Knill <
mic...@ip...> wrote:

> Thanks David that would be great.
>
>
>
> Regards
>
> Michael Knill
>
>
>
> *From: *David Kerr <da...@ke...>
> *Reply-To: *AstLinux Developers Mailing List <
> ast...@li...>
> *Date: *Thursday, 21 February 2019 at 9:13 am
> *To: *AstLinux Developers Mailing List <
> ast...@li...>
> *Subject: *Re: [Astlinux-devel] Traffic Shaping on backup connection
>
>
>
> I created some custom firewall scripts to handle this.  Specifically I
> wanted to block or severely rate limit certain devices when going over the
> cellular connection.  Devices are identified by their MAC address.  If this
> is what you are trying to do then let me know and I will share with you the
> scripts.
>
>
>
> David
>
>
>
>
>
> On Wed, Feb 20, 2019 at 4:28 PM Lonnie Abelbeck <li...@lo...>
> wrote:
>
> Hi Michael,
>
> Currently only "$EXTIF" (Primary External) is used for traffic shaping via
> the AIF Traffic-Shaper plugin.
>
> You are correct, if shaping was to also apply to the Failover interface
> "$EXT2IF" then a complete different set of shaping parameters would be
> needed.
>
> Lonnie
>
>
>
> > On Feb 20, 2019, at 3:05 PM, Michael Knill <
> mic...@ip...> wrote:
> >
> > Hi Devs
> >
> > I assume that the Astlinux traffic shaping configuration applies to both
> the primary and secondary connections?
> > If so, then is there a way that you can separate them between the two
> connections as you usually don't have them at the same speeds?
> >
> > Thanks
> >
> > Regards
> > Michael Knill
> > _______________________________________________
> > Astlinux-devel mailing list
> > Ast...@li...
> > https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>
>
>
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>