#!/bin/bash

set -x

WANIF="wan"

# clean up
iptables -t mangle -F
iptables -t mangle -X




# simplified mark setup...

iptables -t mangle -I FORWARD -o $WANIF -j MARK --set-mark 20
iptables -t mangle -I OUTPUT -o $WANIF -j MARK --set-mark 20

# separate out scp and ssh traffic.
iptables -t mangle -N marksshscp
iptables -t mangle -A marksshscp -o $WANIF -m tos --tos Minimize-Delay -j MARK --set-mark 10
iptables -t mangle -A marksshscp -o $WANIF -m tos --tos Maximize-Throughput -j MARK --set-mark 20

iptables -t mangle -A OUTPUT -p tcp --sport 22 -j marksshscp
iptables -t mangle -A FORWARD -p tcp --dport 22 -j marksshscp

# web traffic
iptables -t mangle -A FORWARD -p tcp --dport 80 -j MARK --set-mark 10

# ftp control channel
iptables -t mangle -A FORWARD -p tcp --dport 21 -j MARK --set-mark 10
iptables -t mangle -A OUTPUT -p tcp --dport 21 -j MARK --set-mark 10

# ipv6
iptables -t mangle -A OUTPUT -p ipv6 -j MARK --set-mark 10

# SYN/ACK
iptables -t mangle -A FORWARD -p tcp -m length --length 0:128 -j MARK --set-mark 10


# DISABLE the rest
exit 0




# default to high prio for forwarded traffic and high for local.
iptables -t mangle -I FORWARD -o $WANIF -j MARK --set-mark 10
iptables -t mangle -I OUTPUT -o $WANIF -j MARK --set-mark 10

# low prio for bulkdata-ports.
iptables -t mangle -A FORWARD -o $WANIF -p tcp --sport 50000:50500 -j MARK --set-mark 20

### layer7 filtering ###
#low prio for bittorrent.
iptables -t mangle -A FORWARD -m layer7 --l7proto bittorrent -j CONNMARK --set-mark 25
# low prio for ftp
iptables -t mangle -A FORWARD -m layer7 --l7proto ftp -j CONNMARK --set-mark 20

# restore/set marks from connection marks.
iptables -t mangle -A FORWARD -o $WANIF -j CONNMARK --restore-mark

# raise prio for small ACK-packets.
#iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ACK -m state --state ESTABLISHED -m length --length 40:100 -j MARK --set-mark 10


# separate out scp and ssh traffic.
iptables -t mangle -N marksshscp
# some clients don't set the TOS field correctly... hack around it.
#iptables -t mangle -A marksshscp -m tos --tos Normal-Service -m length --length 0:128 -j TOS --set-tos Minimize-Delay
#iptables -t mangle -A marksshscp -m tos --tos Normal-Service -m length --length 128: -j TOS --set-tos Maximize-Throughput
# ... and mark traffic accordingly.
iptables -t mangle -A marksshscp -o $WANIF -m tos --tos Minimize-Delay -j MARK --set-mark 10
iptables -t mangle -A marksshscp -o $WANIF -m tos --tos Maximize-Throughput -j MARK --set-mark 20

# send ssh traffic to "marksshscp" chain.
iptables -t mangle -A FORWARD -m layer7 --l7proto ssh -j marksshscp
iptables -t mangle -A OUTPUT -m layer7 --l7proto ssh -j marksshscp

#iptables -t mangle -A FORWARD -j CONNMARK --save-mark

# SYN/ACK
iptables -t mangle -A FORWARD -p tcp -m length --length 0:128 -j MARK --set-mark 10
#iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN,ACK -j MARK --set-mark 10
#iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 10
#iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST,ACK ACK -j MARK --set-mark 10





exit 0