-
Notifications
You must be signed in to change notification settings - Fork 0
/
rules-example-2
200 lines (127 loc) · 4.68 KB
/
rules-example-2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
# Declare host IPs here
FOO_IP=$(cat /etc/hosts|grep 'foo '|sed -e 's/\s.*//g')
BAR_IP=$(cat /etc/hosts|grep 'bar '|sed -e 's/\s.*//g')
DUMMY_IP=192.168.31.45
VNCSERVER=192.168.31.50
SMART_TV=192.168.31.48
LAPTOP=192.168.31.33
ANDROID_DEVICE=192.168.31.40
function setup_rules_and_policies {
printf "\n"
echo "Bandwidth control:"
echo "------------------"
###############################################################
# Bandwidth control matrices specify how bandwidth should be
# classified/prioritized in case of contention.
# More classes can be added
# Min and Max rates are percentages of CEIL
# When setting up bandwidth classes, ake sure that:
# - ID of each class is unique (per matrix)
# - the first ID is always called '1:10'
# - the total of all 'min rate' values equals 100
# - none of the 'max rate' values exceeds 100
#
# The first class (1:10) will be the default class for all
# traffic in that direction, unless it is reclassified as some-
# thing else in a subsequent 'classify' rule
#
###############################################################
##########################
# Download bandwidth rules
##########################
# DOWNLOAD_CEIL (kbit/s) will never be exceeded
DOWNLOAD_CEIL=40000
printf "\n"
printf "\tDownload classes (CEIL = $DOWNLOAD_CEIL kbit/s): \n"
printf "\t--------------------------------------- \n"
DOWNLOAD_CLASSES=(
# ID priority min rate max rate
1:10 0 5 20
1:11 1 25 100
1:12 2 50 100
1:13 2 20 100
)
printf "\n"
printf "\tDownload rules: \n"
printf "\t--------------- \n"
# Order matters here - *LAST* matching rule wins
# By default, regular traffic goes to the regular lane
classify_download_by_host $LOCAL_SUBNET 1:12
# Let's make web browsing faster and more responsive!
classify_download_from_port tcp 80 1:11
classify_download_from_port tcp 443 1:11
# SSH too!
classify_download_from_port tcp 22 1:11
# 'dummy' is always downloading files 24/7
# we don't want it slowing everyone else
# Set downloads by 'dummy' as low priority
classify_download_by_host $DUMMY_IP 1:13
# Downloads by 'foo' are high priority
classify_download_by_host $FOO_IP 1:11
##########################
# Upload bandwidth rules
##########################
# UPLOAD_CEIL (kbit/s) will never be exceeded
UPLOAD_CEIL=8000
printf "\n"
printf "\tUpload classes (CEIL = $UPLOAD_CEIL kbit/s):\n"
printf "\t------------------------------------ \n"
UPLOAD_CLASSES=(
# ID priority min rate max rate
1:10 0 5 20
1:11 1 15 85
1:12 2 55 100
1:13 2 20 100
1:14 3 5 50
)
printf "\n"
printf "\tUpload rules: \n"
printf "\t------------- \n"
# Order matters here - *LAST* matching rule wins
# By default, regular traffic goes to the regular lane
classify_upload_from_host $LOCAL_SUBNET 1:12
# We have an HTTP server on our network
# let's keep its users happy
classify_upload_from_port tcp 80 1:11
classify_upload_from_port tcp 443 1:11
# BAR is a dedicated torrent server
# so its uploads are low priority (and capped at 50%)
classify_upload_from_host $BAR_IP 1:14
############################
# Incoming connection limits
############################
printf "\n\n"
printf "\tIncoming connection limits: \n"
printf "\t--------------------------- \n"
# limit attacks on our SSH (22) port
limit_connections_to_public_port tcp 22 10/min
# limit attacks on our server
limit_connections_to_internal_host $FOO_IP 200/min
printf "\n"
echo "Port duplication:"
echo "-----------------"
# Duplicate SSH to port 8080 as that's one of the most commonly unblocked ports
# (I would duplicate to 80 and 443 as well, but I need to forward those to the
# HTTP server)
port_duplicate tcp 22 8080
# Use port locking (port knocking) to hide our VNC server!
port_lock_forward tcp 22 6000,8000,10000 $VNCSERVER:5900
printf "\n"
echo "Port forwarding:"
echo "----------------"
# FOO is hosting an HTTP server, so lets forward ports 80 and 443
port_forward tcp 80 $FOO_IP:80
port_forward tcp 443 $FOO_IP:443
# The TV really has no business going to the Internet:
deny_internet $SMART_TV
# I want my android device to be blocked from the Internet,
# EXCEPT for Wikipedia:
restrict_internet $ANDROID_DEVICE android_safenet
add_safe_destination android_safenet www.wikipedia.org
add_safe_destination android_safenet upload.wikimedia.org
# For my laptop, I want Wikipedia and Github
add_safe_destination laptop_safenet github.com
add_safe_destination laptop_safenet githubassets.com
restrict_internet $LAPTOP laptop_safenet
restrict_internet $LAPTOP android_safenet
}