Всем добрый день, помогите кто чем сможет: есть роутер Ubuntu iptables eth0 - локалка eth1 - интернет, цель - иметь возможность ограничивать траффик (входящи и исходящий) любому ИП в локалке, весь день курил мануалы хауту и т.д. вот что имею на сегодня
# Generated by iptables-save v1.4.12 on Mon Dec 16 19:29:43 2013
*mangle
:PREROUTING ACCEPT [49949:51587525]
:INPUT ACCEPT [13751:14870544]
:FORWARD ACCEPT [36198:36716981]
:OUTPUT ACCEPT [9090:14580000]
:POSTROUTING ACCEPT [45293:51297548]
-A PREROUTING -s 192.168.1.9/32 -j MARK --set-xmark 0x3f1/0xffffffff
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Dec 16 19:29:43 2013
# Generated by iptables-save v1.4.12 on Mon Dec 16 19:29:43 2013
*nat
:PREROUTING ACCEPT [64:5598]
:INPUT ACCEPT [51:3753]
:OUTPUT ACCEPT [39:2875]
:POSTROUTING ACCEPT [2115:255505]
-A PREROUTING -i eth0 -p tcp -m multiport --dports 80,8080 -j REDIRECT --to-ports 3128
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.31
-A PREROUTING -d 109.194.33.177/32 -i eth1 -p udp -m udp --dport 54236 -j DNAT --to-destination 109.194.33.177:1194
-A PREROUTING -s 195.208.161.154/32 -d 109.194.33.177/32 -i eth1 -p udp -m udp --dport 54236 -j DNAT --to-destination 109.194.33.177:1194
-A PREROUTING -s 195.208.161.206/32 -d 109.194.33.177/32 -i eth1 -p udp -m udp --dport 54236 -j DNAT --to-destination 109.194.33.177:1194
-A PREROUTING -s 217.18.140.129/32 -i eth1 -p tcp -m tcp --dport 46654 -j DNAT --to-destination 192.168.1.14
-A PREROUTING -s 195.225.38.62/32 -i eth1 -p tcp -m multiport --dports 52000,60671 -j DNAT --to-destination 192.168.1.36
-A PREROUTING -i eth1 -p tcp -m tcp --dport 367 -j DNAT --to-destination 192.168.1.9
-A PREROUTING -s 195.208.161.154/32 -i eth1 -p tcp -m multiport --dports 80,443,902,903,1368 -j DNAT --to-destination 192.168.1.40
-A PREROUTING -s 109.194.35.69/32 -i eth1 -p tcp -m multiport --dports 80,443,902,903,1368 -j DNAT --to-destination 192.168.1.40
-A PREROUTING -s 195.208.161.154/32 -i eth1 -p tcp -m tcp --dport 9100 -j DNAT --to-destination 192.168.1.43
-A PREROUTING -i eth1 -p tcp -m tcp --dport 9786 -j DNAT --to-destination 192.168.1.15
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.2
-A PREROUTING -s 195.208.161.154/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.2
-A PREROUTING -s 195.208.161.206/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.2
-A PREROUTING -s 90.188.88.230/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.2
-A PREROUTING -s 90.188.88.229/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.2
-A PREROUTING -s 90.188.88.82/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.1.2
-A PREROUTING -s 109.194.35.69/32 -i eth1 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.1.9
-A PREROUTING -s 195.208.161.154/32 -i eth1 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.1.9
-A PREROUTING -s 195.208.161.206/32 -i eth1 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 192.168.1.9
-A PREROUTING -i eth1 -p tcp -m tcp --dport 6881 -j DNAT --to-destination 192.168.1.9
-A PREROUTING -i eth1 -p udp -m udp --dport 6881 -j DNAT --to-destination 192.168.1.9
-A POSTROUTING -o eth1 -j SNAT --to-source 109.194.33.177
COMMIT
# Completed on Mon Dec 16 19:29:43 2013
# Generated by iptables-save v1.4.12 on Mon Dec 16 19:29:43 2013
*filter
:INPUT DROP [1799:72248]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9176:14591432]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "NEW not SYN: "
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A INPUT -s 192.168.1.0/24 -i eth0 -p tcp -m multiport --dports 21,22,53,80,111,139,366,389,445,636,2049,3128,3142,6881 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eth0 -p udp -m multiport --dports 53,111,123,137,138,139,631,750,2049,5351,6881 -j ACCEPT
-A INPUT -i eth1 -p udp -m multiport --dports 1194 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d 109.194.33.177/32 -i eth1 -p tcp -m multiport --dports 366 -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i tun0 -p tcp -m multiport --dports 111,2049 -j ACCEPT
-A INPUT -s 10.8.0.0/24 -i tun0 -p udp -m multiport --dports 111,2049 -j ACCEPT
-A INPUT -s 10.8.0.5/32 -i tun0 -j ACCEPT
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -i eth0 -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -i tun0 -j ACCEPT
-A FORWARD -d 192.168.1.31/32 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 217.18.140.129/32 -d 192.168.1.14/32 -i eth1 -p tcp -m tcp --dport 46654 -j ACCEPT
-A FORWARD -s 195.225.38.62/32 -d 192.168.1.36/32 -i eth1 -p tcp -m multiport --dports 52000,60671 -j ACCEPT
-A FORWARD -d 192.168.1.29/32 -i eth1 -p tcp -m multiport --dports 365 -j ACCEPT
-A FORWARD -d 192.168.1.9/32 -i eth1 -p tcp -m multiport --dports 367,5900,6881 -j ACCEPT
-A FORWARD -d 192.168.1.200/32 -i eth1 -p tcp -m tcp --dport 368 -j ACCEPT
-A FORWARD -s 195.208.161.154/32 -d 192.168.1.40/32 -i eth1 -p tcp -m multiport --dports 80,443,902,903,1368 -j ACCEPT
-A FORWARD -s 109.194.35.69/32 -d 192.168.1.40/32 -i eth1 -p tcp -m multiport --dports 80,443,902,903,1368 -j ACCEPT
-A FORWARD -d 192.168.1.2/32 -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -d 192.168.1.9/32 -i eth1 -p tcp -m tcp --dport 6881 -j ACCEPT
-A FORWARD -d 192.168.1.9/32 -i eth1 -p udp -m udp --dport 6881 -j ACCEPT
-A FORWARD -s 195.208.161.154/32 -d 192.168.1.43/32 -i eth1 -p tcp -m multiport --dports 9100 -j ACCEPT
-A FORWARD -d 192.168.1.15/32 -i eth1 -p tcp -m tcp --dport 9786 -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7
COMMIT
# Completed on Mon Dec 16 19:29:43 2013
... для всех в локальной сети
при таких настройках у меня download на полную скорость, upload примерно на 4 Мбит, менял числя туда-сюда - картина одна и та же, как бы понять как это работает
вроде разобрался - скрипт был кривоват, но вот так и не могу заставить работать MARK