-
Notifications
You must be signed in to change notification settings - Fork 5
/
fairnat.config
237 lines (200 loc) · 8.99 KB
/
fairnat.config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
# ----------------------------------------------------------------------------
# File: /etc/ppp/fairnat.config
# Description: Example configuration file for the fairnat.sh Script
# You should be able to do pretty much everything here.
# Change FAIRNAT_CONFIG in fairnat.sh if you want another default
# location for this configuration file. This variable is at the
# beginning of the script.
# Version: 0.80
# ----------------------------------------------------------------------------
# --- Features ---
# Specify what you want Fair NAT to do here.
# Leave things you don't want out. See below for a list.
# If you don't know what to do here, leave as is.
# Order does not matter.
FEATURES="PROC MODULES RESET NAT FORWARD QOS_DOWN QOS_UP TOS"
# PROC:
# Allow Fair NAT to change some system variables in /proc,
# like setting /proc/sys/net/ipv4/ip_forward to 1.
#
# MODULES:
# Try to load kernel modules for QoS first.
#
# RESET:
# Fair NAT will replace all existing iptables rules with
# a very basic configuration. Not healthy for firewalls.
# See README for details on firewall compatibility.
# (Even without this, Fair NAT will reset it's own rules.)
#
# NAT:
# Fair NAT will configure NAT.
#
# FORWARD:
# Fair NAT will configure port forwarding.
#
# QOS_DOWN:
# Configure LAN device for download shaping.
# Existing shaping rules for the LAN device will be removed.
#
# QOS_UP:
# Configure Internet device for upload shaping.
# Existing shaping rules for the Internet device will be removed.
#
# TOS:
# Allow Fair NAT to change TOS (type-of-service) flag of packets.
# Right now, Fair NAT heavily relies on this TOS field for shaping,
# so using this feature is highly recommended.
# --- LAN ---
# Specify the network device which is connected with your clients.
# The script assumes that this device has one static IP.
DEV_LAN=eth1
# Please tell me how fast your local area network is in kbit/s.
# It must be higher than your internet connection speed.
#
# If your internet connection is the same speed as your LAN, use
# a higher value here anyway - collisions between download and
# local traffic can't be avoided then.
#
# Default is 2MBit. Please keep in mind that even on
# a 10Mbit/100MBit LAN you rarely can use the full rate (because
# of overhead, collisions, etc.).
RATE_LAN=2mbit
# --- Internet ---
# Specify the network device that is connected to the internet.
# If you are a dialup user, you have to re-run the script every
# time you redial.
DEV_NET=ppp0
# Specify the upload speed of your internet connection in kbit/s.
# Since ISPs tend to overestimate the speeds they offer, it would
# probably be best if you measure this on a free line.
RATE_UP=128kbit # 128 kbit (common value for DSL in germany)
# Specify the download speed of your internet connection in kbit/s.
# Same as RATE_UP, you probably should measure this.
RATE_DOWN=768kbit # 768 kbit (common value for DSL in germany)
# In order to prevent traffic queuing at the ISP side or in your modem,
# we shape to a slightly lower rate. This way the bottleneck is the router,
# not the ISP or modem, which allows us more direct control of shaping.
# Per default, we sub 5% of bandwidth for this. If you do not have the
# bottleneck problem, set it to 0.
RATE_SUB_PERCENT=5
# How much % of the bandwidth should be allowed for the router?
# Use a minimum of 1 here, since the router usually always needs
# some bandwidth, for example for DNS queries to the outer world,
# or SSH sessions from the outer world.
RATE_LOCAL_PERCENT=5
# --- Clients: ---
# Specify the clients for which we do Masquerading and Shaping.
# The script assumes that all clients have static IPs in the
# same subnet as your LAN device.
#
# Example: If the IP of DEV_LAN is 192.168.100.42, the line above
# means that 192.168.100.2, 192.168.100.5, etc., are
# the IPs of your clients.
# 6:23:25 is a group of 3 IPs that all belong to the same user.
# Use this notation if a single person has more than one machine
# /IP connected to the router.
#
# New: You can also specify a custom ceil rate per user.
# Syntax: <user>@<down_ceil>[|<up_ceil>]
# However, ceil has to be bigger than the guaranteed rate,
# otherwise you will get weird results.
USERS="2 5 6:23:25 183@1mbit|100kbit"
# If you have clients which need certain port (ranges) to be forwarded,
# specify them here. The format is "client port client port ...".
# The example below will forward ports 4000-6999 to 192.168.100.2 and
# ports 2000-3999 to 192.168.100.183.
PORTS="2 4000:6999 183 2000:3999"
# PORTS="" # this disables port forwarding.
# This setting affects the class structure set for each user.
# "default": one HTB class per user and puts PRIO and SFQ on top of it.
# "wonder": uses ~3 HTB classes per user and uses HTB prio parameter.
# Very similar to the structure used in Bert Hubert's Wondershaper.
CLASS_MODE="default"
# Are users allowed to 'borrow' other user's bandwidth if they don't use them?
# Usually this is a good thing, even if you never have inactive clients.
# Set to 0 if you don't want to allow users to borrow other users bandwidth.
BORROW=1
# Usually, each user may use up to $RATE_UP / $RATE_DOWN (see above), e.g. all
# available bandwidth, as long as the line is free. If you want a lower limit,
# you can set it here.
#
# For example, you have a 500kbit line but don't want a single client to use
# more than 300kbit for himself. Then you set RATE_DOWN above to 500 and
# this variable here to 300.
#
# CEIL_USER_UP=0
# CEIL_USER_DOWN=0
# --- Support for IPP2P (Experimental) ---
# If you want to use IPP2P (marking & tracking P2P connections), set to 1.
# To use IPP2P, you need a patched kernel and iptables. Unless you activate
# dropping below, you also need the CONNMARK patch.
# Learn more about IPP2P here:
# http://rnvs.informatik.uni-leipzig.de/ipp2p/index_en.html (english)
# or http://rnvs.informatik.uni-leipzig.de/ipp2p/index.html (german)
IPP2P_ENABLE=0
# Tell us which options to use for IPP2P:
# Default: Cover all P2P protocols.
# See IPP2P documentation for details.
IPP2P_OPTIONS="--ipp2p --apple --bit"
# Let IPP2P check UDP packets also? Set to 1 if you want that feature.
# An up-to-date IPP2P version is required for this.
IPP2P_UDP=0
# If P2P traffic should be forbidden in general, set to 1.
# Otherwise P2P will be allowed with lowest priority.
# This only has an effect if IPP2P_ENABLE=1
# Please note that only new connections will be affected.
IPP2P_DROP_ALL=0
# Together with IPP2P_DROP_ALL=1, this setting will allow dropping
# of already existing & marked connections. Use this only if you
# sometimes switch from allowing P2P to dropping P2P.
IPP2P_DROP_MARKED=0
# --- Hacks ---
# This section is for all the bloody stuff. Well, it's not as bad as it sounds,
# but you should read a bit of external documentation before using these.
# No, I'm not explaining them here. You should know what you're doing.
# * MSS Clamping
# Work around bad MTU settings.
# See also http://www.lartc.org/lartc.html#LARTC.COOKBOOK.MTU-MSS)
MSS_CLAMPING=0
# MSS_CLAMPING="--clamp-mss-to-pmtu"
# MSS_CLAMPING="--set-mss 128"
# * Set Time To Live (TTL) of outgoing packets
# Specify the maximum number of hops to the clients here. A too low value will
# effectively break your internet connection.
# See also http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TTLTARGET
TTL_SET=0
# TTL_SET=64
# * Specify overhead for HTB
# From the LARTC Howto on MPU:
# "A zero-sized packet does not use zero bandwidth. For ethernet, no packet
# uses less than 64 bytes. The Minimum Packet Unit determines the minimal
# token usage for a packet."
HTB_MPU=0
# HTB_MPU=64 # Ethernet
# HTB_MPU=106 # According to Andy Furniss, this value is suited for DSL users
# Specify overhead per packet for HTB.
HTB_OVERHEAD=0
# I don't use this myself yet. :-P Tell me some good values.
# The following is in the hacks section because it could allow running
# multiple instances of Fair NAT on a single server (whatever you'd want
# that for). The prefix is used for iptables chains used by Fair NAT.
FAIRNAT_PREFIX="FAIRNAT"
# --- Binaries ---
# For this script, you need a tc-tool that supports HTB.
# Per default, the script looks first for tc-htb, then for tc.
# Set name directly if your HTB-enabled tc is called something else.
# BIN_TC=`which tc` use this if your binary is called tc
# BIN_TC="/root/bin/my_tc" or set the full path directly like this.
# All binarys used by Fair NAT can be configured like BIN_TC above:
#
# BIN_IPT: iptables (with support for HTB and probably IPP2P)
# BIN_TC: tc (with support for HTB, see above)
# BIN_IFC: ifconfig
# BIN_GREP: grep
# BIN_SED: sed
# BIN_ECHO: echo
# BIN_MODPROBE modprobe
#
# If you don't specify these, the first binary found in your PATH
# will be used, which should work for most people.
# ----------------------------------------------------------------------------