#!/bin/bash

#set -x

WANIF="wan"
#PRIOIP="10.185.10.254"

# clean up
iptables -t mangle -F

# default to low prio for forwarded traffic and high for local.
iptables -t mangle -I FORWARD -o $WANIF -j MARK --set-mark 10
iptables -t mangle -I OUTPUT -o $WANIF -j MARK --set-mark 20

# tag high prio traffic.
for pip in $PRIOIP ; do
	iptables -t mangle -A FORWARD -s $pip -o $WANIF -j MARK --set-mark 20
done

# raise prio for UDP-traffic and TCP-ACKs.
iptables -t mangle -A FORWARD -o $WANIF -p udp -j MARK --set-mark 20
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -m length --length 40:100 -j MARK --set-mark 20

# [OLD] Raise prio for Web and SSH traffic.
#iptables -t mangle -A FORWARD -o $WANIF -p tcp --dport 80 -j MARK --set-mark 20
#iptables -t mangle -A FORWARD -o $WANIF -p tcp --dport 22 -j MARK --set-mark 20

# [OLD] raise prio for VNC/RDP-ports.
#iptables -t mangle -A FORWARD -o $WANIF -p tcp --sport 5900 -j MARK --set-mark 20
#iptables -t mangle -A FORWARD -o $WANIF -p tcp --sport 3389 -j MARK --set-mark 20




# layer7 filtering, set HTTP-, RDP-, VNC- and SSH-traffic to high prio.
iptables -t mangle -A FORWARD -m layer7 --l7proto ssh -j MARK --set-mark 20
iptables -t mangle -A FORWARD -m layer7 --l7proto http -j MARK --set-mark 20
iptables -t mangle -A FORWARD -m layer7 --l7proto rdp -j MARK --set-mark 20
iptables -t mangle -A FORWARD -m layer7 --l7proto vnc -j MARK --set-mark 20

# http is matched on return, make sure it's fast all the way, but keep bittorrent away.
iptables -t mangle -A FORWARD -o $WANIF -p tcp --dport 80 -j MARK --set-mark 20
iptables -t mangle -A FORWARD -o $WANIF -p tcp --dport 80 -m layer7 --l7proto bittorrent -j MARK --set-mark 10


# override high prio ip's for certain ports.
iptables -t mangle -A FORWARD -o $WANIF -p tcp --sport 50000:50500 -j MARK --set-mark 10



# insert CONNMARK save/restor first and last!
iptables -t mangle -I FORWARD -j CONNMARK --restore-mark
iptables -t mangle -A FORWARD -j CONNMARK --save-mark


exit 0