> © 2013 Rafael Ferrari (RafaelBF) >
rafa.eng.br >
O Linux é um sistema operacional de código aberto baseado no Unix, bastante utilizado como servidor e também como Desktop. Como servidor é muito utilizado para compartilhar internet, firewall, servidor de arquivos, emails. Foi inicialmente escrito por Linus Torvalds, com ajuda de outros programadores através da internet. Em outubro de 1991 surgiu a primeira versão oficial do Linux, distribuído livremente pela internet.
Um bom uso do Linux é em sistemas embarcados, um "mini computador" montado em uma placa, encapsulado em algum sistema como por exemplo roteadores, DVD players, Tablets e Celulares. Como seu kernel (núcleo) requer pouca memória e pode rodar em vários tipos de processadores, é ideal para estes sistemas.
As placas Alix da PCEngines são baratas
e podem rodar Linux, e como são x86, dá para instalar muitas distribuições sem
se preocupar com compatibilidades.
Eu uso o modelo alix2d3 com 3 interfaces de rede,
256Mb RAM, CPU de 500Mhz e entrada para cartão CompactFlash.
Este
modelo pode rodar também o pfSense
(firewall baseado em freebsd, com interface web, balanceamento de
link, e outras frescuras). Existem imagens prontas para você gravar no cartão e
já sair rodando.
Mas como instalar o pfSense quase não tem graça, vamos ver aqui o processo
básico de como instalar uma distribuição Linux "normal", ou seja, sem ser
específica para um sistema embarcado.
O único detalhe é que precisa ser uma distribuição para i586, i486 ou i386.
1 - Baixar imagem ISO de sua distribuição preferida. Neste exemplo estou usando Debian 7 "netinst".
2 - Abrir o VMware Workstation (ou Player), criar uma máquina virtual custom, sem USB, sem HD, configurada para dar boot pela ISO baixada. Conectar o cartão CompactFlash em um leitor USB e configurar o VMware para usar o cartão como um disco rígido.
3 - Fazer a instalação básica do Linux, sem nenhuma interface gráfica.
4 - Configurações:
O Debian 7 por padrão instala um kernel i686.
É preciso remover ele e instalar o kernel "linux-image-486" usando o apt-get.
Para conectar na porta serial você precisa usar um cabo serial do tipo null-modem (conectores fêmea, com os pinos 2 e 3 invertidos). Conectar na porta serial (ou adaptador usb-serial) e usar o PUTTY para conectar na porta COM correspondente na velocidade 9600. (esta velocidade é configurada no grub e na bios da placa).
5 - Otimizações:
As memórias flash tem número de gravações bem limitado, e podem corromper ou perder dados se houver muita gravação e alteração de dados. Estas alterações diminuem a utilização do cartão flash:
Remover /etc/cron.daily/man-db e /etc/cron.daily/mlocate
Editar /etc/default/tmpfs configurando estas opções para que o /tmp seja montado na memória RAM: (as demais opções precisam estar comentadas)
Editar o arquivo /e/etc/fstab para montar o /var/log na memória RAM:
Obs: Estas configurações também são para o Debian. Em outras distribuições será diferente, mas a ideia básica está aqui.
O script abaixo é um firewall com NAT para compartilhar
internet e limitação de banda (iptables + tc), com configuração feita no próprio
script. Bom para rodar no seu novo Linux embarcado.
Configure sua velocidade de Upload e Download em kbps um pouco abaixo da
velocidade real.
(ex: 5mbps download / 512kbps upload, colocar DOWNLINK=4800 e UPLINK=500),
assim enquanto estiver fazendo um Download pesado seus Uploads não vão ficar
lentos
pois o link não vai ficar saturado, pings e SSH vão ter respostas mais rápidas
!! (seu download não deve mais ficar causando lags nos jogos)
Você precisa apenas dos comandos iptables e tc (do pacote iproute2)
#!/bin/sh
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: networking
# Required-Stop:
# Default-Start: S
# Default-Stop:
# Short-Description:
# Description: personal firewall
### END INIT INFO
# script baseado no wondershaper
# firewall.sh - NAT firewall script for Home/SoHo, with Shaper - By RafaelBF
# Shaper requires the lastest version of "iproute2", and QoS Kernel modules (HTB, U32, Ingress)
# atualizado 11/06/2013
################################## CONFIGURATION ###################################################
####################################################################################################
# Path to "iptables" executable
IPTABLES="/sbin/iptables"
# Path to "tc" (iproute2) executable
#TC="/sbin/tc"
TC="/sbin/tc"
# Path to "ip" executable
IP="ip"
############### WAN configuration ###############
# WAN interface (internet). Optional. Leave blank for NoNAT (Router only). Ex: "eth0". Default firewall rule: reject
WAN="eth0"
# Accept connections from WAN to local TCP port(s). The source IP is optional. Ex: "200.123.1.2#22 0.0.0.0/0#21 80 8080"
OPENTCPWAN=""
# Accept connections from WAN to local UCP port(s). The source IP is optional. Ex: "80 123 53#201.200.200.100"
OPENUDPWAN=""
# Log rejected connections
LOGWAN="no"
############### LAN configuration ################
# LAN(s) interface(s) (internal lan). Ex: "eth1 eth2". Default firewall rule: accept
LANS="eth1"
# Reject connections from LAN(s) to local TCP port(s). Ex: "23 53 6000"
CLOSETCPLAN=""
# Reject connections from LAN(s) to local UDP port(s). Ex: "137"
CLOSEUDPLAN=""
# Set to "yes" to isolate LANs. (Only allow traffic betwen WAN and LAN, not LAN to LAN)
LIMITFORWARD="no"
# Local transparent proxy port. Set to "3128" to use with Squid.
#TPROXY="3128"
# Set local (this router) IP to bypass Transparent Proxy when accessing local webserver from Lan
LOCALIP="192.168.0.1"
# WOL - wake on lan - Set an unused IP (same subnet in LOCALIP) to enable support for receiving external WOL packets (port 9 udp). Ex: "192.168.0.252"
DUMMYWOL="192.168.0.254"
# Redirect incomming host & port(s) to local(LAN) host and ports. Ex: "5900#192.168.1.60 80#192.168.1.60:8080 3000:4000#192.168.1.60#200.200.200.200" (this last only accepts from 200.200.200.200 in ports 3000 to 4000)
TCPREDIRECT=""
# Redirect incomming port(s) to host and ports. Ex: "5060:5061#192.168.1.60 10000:20000#192.168.1.60"
UDPREDIRECT=""
##### Shaper configuration (optional) ######
# Set yo "yes" to enable Shaper
SHAPER="yes"
# Set the following values to somewhat less than your actual download
# and uplink speed. In kbps. Also set the device that is to be shaped.
DOWNLINK=4800
UPLINK=500
### Priorities (email, http, ftp, ssh, dns already has high priority)
# High priority source hosts (IPs separated with spaces)
HIPRIOHOSTSRC=""
# High priority destination hosts (IPs separated with spaces)
HIPRIOHOSTDST=""
# High priority source ports (ports separated with spaces)
HIPRIOPORTSRC=""
# High priority destination ports (ports separated with spaces)
HIPRIOPORTDST=""
# low priority OUTGOING traffic - you can leave this blank if you want
# low priority source hosts
NOPRIOHOSTSRC=""
# low priority destination hosts
NOPRIOHOSTDST=""
# low priority source ports
NOPRIOPORTSRC="554 4661 4662 4663 4672 4711 5768 6346 6699 6881"
# low priority destination ports
NOPRIOPORTDST="554 4661 4662 4663 4672 4711 5768 6346 6699 6881"
####################################### END OF CONFIGURATION ########################################
#####################################################################################################
########## NAO MODIFIQUE NADA DAQUI PARA BAIXO ##########
###### SE PRECISAR ABRIR/FECHAR/REDIRECIONAR PORTAS #####
######### USE OS PARAMETROS DE CONFIGURACAO ACIMA #######
#modprobe ip_conntrack
#modprobe ip_tables
#modprobe iptable_filter
#modprobe iptable_nat
#modprobe ipt_LOG
#modprobe ipt_limit
#modprobe ipt_MASQUERADE
#### SYSTEM CONFIGURATION ####
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_nat_snmp_basic 2> /dev/null
modprobe ip_nat_ftp 2> /dev/null
modprobe ip_nat_h323 2> /dev/null
modprobe ip_nat_irc 2> /dev/null
modprobe ip_nat_sip 2> /dev/null
# Synflood protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# disable source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# disable redirects acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# dont send redirects packets
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# disable path mtu discovery
#echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
# Se aparecer nos logs "Neighbour table overflow", ative as linhas abaixo
#echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
#echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
#echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
if [ "$WAN" != "" ]; then
echo -n "Firewall: WAN=$WAN "
else
echo -n "Firewall: NONAT "
fi
######## Cleanup old rules / Create default rules #######
$IPTABLES -F INPUT
$IPTABLES -P INPUT DROP
$IPTABLES -F FORWARD
$IPTABLES -P FORWARD DROP
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 2/second --limit-burst 10 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j DROP
####### OPEN WAN PORTS #######
if [ "$WAN" != "" ]; then
for tcport in $OPENTCPWAN; do
openwanport=`echo "$tcport" | cut -d# -f2`
openwanhost=`echo "$tcport" | cut -d# -f1`
if [ "$openwanport" = "$openwanhost" ]; then
$IPTABLES -A INPUT -i $WAN -p tcp --dport $openwanport -j ACCEPT
else
$IPTABLES -A INPUT -i $WAN -p tcp --dport $openwanport -s $openwanhost -j ACCEPT
fi
done
for udport in $OPENUDPWAN; do
openwanport=`echo "$udport" | cut -d# -f2`
openwanhost=`echo "$udport" | cut -d# -f1`
if [ "$openwanport" = "$openwanhost" ]; then
$IPTABLES -A INPUT -i $WAN -p udp --dport $openwanport -j ACCEPT
else
$IPTABLES -A INPUT -i $WAN -p udp --dport $openwanport -s $openwanhost -j ACCEPT
fi
done
fi
## CONNECTIONS FROM LAN(s) ###
echo -n "LAN(s)="
for lan in $LANS; do
for tcport in $CLOSETCPLAN; do
$IPTABLES -A INPUT -p tcp -i $lan --dport $tcport -j REJECT --reject-with tcp-reset
done
for udport in $CLOSEUDPLAN; do
$IPTABLES -A INPUT -p udp -i $lan --dport $udport -j REJECT --reject-with icmp-port-unreachable
if [ "$DUMMYWOL" != "" ]; then
$IP neigh change $DUMMYWOL lladdr ff:ff:ff:ff:ff:ff nud permanent dev $lan
$IP neigh add $DUMMYWOL lladdr ff:ff:ff:ff:ff:ff nud permanent dev $lan
fi
done
$IPTABLES -A INPUT -i $lan -j ACCEPT
echo -n "$lan "
done
### DROP Broadcast from WAN ##
if [ "$WAN" != "" ]; then
$IPTABLES -A INPUT -i $WAN -d 255.255.255.255 -j DROP
fi
######### FORWARD ###########
if [ "$WAN" != "" ]; then
if [ "$LIMITFORWARD" = "yes" ]; then
$IPTABLES -P FORWARD DROP
for lan in $LANS; do
$IPTABLES -A FORWARD -i $lan -o $WAN -j ACCEPT
$IPTABLES -A FORWARD -i $WAN -o $lan -j ACCEPT
done
else
$IPTABLES -P FORWARD ACCEPT
fi
fi
###### TRANSPARENT PROXY ######
if [ "$TPROXY" != "" ]; then
echo -n ",Tproxy: on"
for lan in $LANS; do
if [ "$LOCALIP" != "" ]; then
$IPTABLES -t nat -A PREROUTING -i $lan -d ! $LOCALIP -p tcp --dport 80 -j REDIRECT --to-port $TPROXY
else
$IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 -j REDIRECT --to-port $TPROXY
fi
done
fi
######### REDIRECTS ##########
if [ "$WAN" != "" ]; then
for redir in $TCPREDIRECT; do
redirport=`echo "$redir" | cut -d# -f1`
redirhost=`echo "$redir" | cut -d# -f2`
redirsource=`echo "$redir" | cut -d# -f3`
if [ "$redirsource" != "" ]; then
$IPTABLES -A PREROUTING -t nat -i $WAN -p tcp -s $redirsource --dport $redirport -j DNAT --to-destination $redirhost
else
$IPTABLES -A PREROUTING -t nat -i $WAN -p tcp --dport $redirport -j DNAT --to-destination $redirhost
fi
done
for redir in $UDPREDIRECT; do
redirport=`echo "$redir" | cut -d# -f1`
redirhost=`echo "$redir" | cut -d# -f2`
redirsource=`echo "$redir" | cut -d# -f3`
# for lan in $LANS; do
#echo $IPTABLES -A INPUT -i $lan -p udp --sport $redirport -j ACCEPT
# done
if [ "$redirsource" != "" ]; then
$IPTABLES -t nat -A PREROUTING -i $WAN -m udp -p udp -s $redirsource --dport $redirport -j DNAT --to-destination $redirhost
else
$IPTABLES -t nat -A PREROUTING -i $WAN -m udp -p udp --dport $redirport -j DNAT --to-destination $redirhost
fi
done
if [ "$DUMMYWOL" != "" ]; then
$IPTABLES -t nat -A PREROUTING -i $WAN -p udp --dport 9 -j DNAT --to-destination $DUMMYWOL
fi
fi
########### NAT ##############
if [ "$WAN" != "" ]; then
$IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE
fi
########### Scripts PERSONALIZADOs ##############
# permite acesso externo ssh mesmo com porta externa redirecionada
if [ "$WAN" != "" ]; then
$IPTABLES -A INPUT -i $WAN -p tcp -d 192.168.0.1 --dport 22 -j ACCEPT
fi
# bloqueia SMB na wan
$IPTABLES -A INPUT -i $WAN -p tcp --dport 445 -j DROP
$IPTABLES -A INPUT -i $WAN -p tcp --dport 139 -j DROP
$IPTABLES -A INPUT -i $WAN -p udp --dport 138 -j DROP
##bloqueia MSN e outros sites
#for lan in $LANS; do
# $IPTABLES -A FORWARD -p tcp --dport 6891:6901 -j DROP
# $IPTABLES -A FORWARD -p tcp --dport 1863 -j DROP
# $IPTABLES -A FORWARD -p udp --dport 1863 -j DROP
# $IPTABLES -A FORWARD -p tcp --dport 5190 -j DROP
# $IPTABLES -A FORWARD -p udp --dport 5190 -j DROP
# $IPTABLES -A FORWARD -i $lan -d www.orkut.com -p tcp -j DROP
# $IPTABLES -A FORWARD -i $lan -d www.orkut.com.br -p tcp -j DROP
# $IPTABLES -A FORWARD -i $lan -d orkut.com -p tcp -j DROP
# $IPTABLES -A FORWARD -i $lan -p tcp -d meebo.com -j REJECT --reject-with tcp-reset
# $IPTABLES -A FORWARD -i $lan -p tcp -d www.meebo.com -j REJECT --reject-with tcp-reset
# $IPTABLES -A FORWARD -i $lan -p tcp -d www.meebo.com.br -j REJECT --reject-with tcp-reset
# $IPTABLES -A FORWARD -i $lan -p tcp -d www.ebuddy.com -j REJECT --reject-with tcp-reset
# $IPTABLES -A FORWARD -i $lan -p tcp -d www.communicationtube.net -j REJECT --reject-with tcp-reset
# $IPTABLES -A FORWARD -i $lan -p tcp -d www.radiusim.com -j REJECT --reject-with tcp-reset
# $IPTABLES -A FORWARD -i $lan -p tcp -d www.messengerfx.com -j REJECT --reject-with tcp-reset
# $IPTABLES -A FORWARD -i $lan -p tcp -d www.facebook.com -j REJECT --reject-with tcp-reset
# $IPTABLES -A FORWARD -i $lan -m string --string "x-msn-messenger" --algo bm -j DROP
#done
# bloqueia toda a internet
#$IPTABLES -A FORWARD -j REJECT
##### REJECT/DROP unknown connections ####
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -j DROP
######## FIREWALL LOG ########
if [ "$LOGWAN" = "yes" ]; then
$IPTABLES -A INPUT -j LOG --log-prefix "iptables: " -m limit --limit 5/minute
$IPTABLES -A FORWARD -j LOG --log-prefix "iptables: " -m limit --limit 5/minute
fi
# no Shaper if no Wan
if [ "$WAN" = "" ]; then
exit
fi
################ Shaper #################
# baseado no wondershaper e no supershaper
if [ "$SHAPER" = "yes" ]; then
echo -n ", Shaper: ${DOWNLINK} DOWN/${UPLINK} UP kbps"
## clean existing down- and uplink qdiscs, hide errors
$TC qdisc del dev $WAN root 2> /dev/null > /dev/null
$TC qdisc del dev $WAN ingress 2> /dev/null > /dev/null
###### uplink
# Set how much bandwidth to use for each class
UPLINK_10_R=`expr $UPLINK - 1`
UPLINK_20_R=`expr $UPLINK - 3`
UPLINK_30_R=`expr $UPLINK - 6`
RATE=`expr 8 \* $UPLINK`
RATE=`expr $RATE / 10`
UPLINK_40_R=$RATE
RATE=`expr 5 \* $UPLINK`
RATE=`expr $RATE / 10`
UPLINK_50_R=$RATE
RATE=`expr 6 \* $UPLINK`
RATE=`expr $RATE / 10`
UPLINK_60_R=$RATE
# The same as above, but here you set the ceiling, ie. how much a class is allowed to borrow from another
UPLINK_10_C=`expr $UPLINK`
UPLINK_20_C=`expr $UPLINK - 2`
UPLINK_30_C=`expr $UPLINK - 3`
RATE=`expr 9 \* $UPLINK`
RATE=`expr $RATE / 10`
UPLINK_40_C=$RATE
RATE=`expr 5 \* $UPLINK`
RATE=`expr $RATE / 10`
UPLINK_50_C=$RATE
RATE=`expr 8 \* $UPLINK`
RATE=`expr $RATE / 10`
UPLINK_60_C=$RATE
################### QUEUE DISCIPLINES
# Add root qdisc
$TC qdisc add dev $WAN root handle 1: htb default 60
# Add master qdisc
$TC class add dev $WAN parent 1: classid 1:1 htb rate ${UPLINK}kbit
# Add prio 0 queue (highest)
$TC class add dev $WAN parent 1:1 classid 1:10 htb rate ${UPLINK_10_R}kbit ceil ${UPLINK_10_C}kbit prio 0
$TC qdisc add dev $WAN parent 1:10 handle 10: sfq perturb 10
# Add prio 1 queue
$TC class add dev $WAN parent 1:1 classid 1:20 htb rate ${UPLINK_20_R}kbit ceil ${UPLINK_20_C}kbit prio 1
$TC qdisc add dev $WAN parent 1:20 handle 20: sfq perturb 10
# Add prio 2 queue
$TC class add dev $WAN parent 1:1 classid 1:30 htb rate ${UPLINK_30_R}kbit ceil ${UPLINK_30_C}kbit prio 2
$TC qdisc add dev $WAN parent 1:30 handle 30: sfq perturb 10
# Add prio 3 queue
$TC class add dev $WAN parent 1:1 classid 1:40 htb rate ${UPLINK_40_R}kbit ceil ${UPLINK_40_C}kbit prio 3
$TC qdisc add dev $WAN parent 1:40 handle 40: sfq perturb 10
# Add prio 4 queue (lowest)
$TC class add dev $WAN parent 1:1 classid 1:50 htb rate ${UPLINK_50_R}kbit ceil ${UPLINK_50_C}kbit prio 4
$TC qdisc add dev $WAN parent 1:50 handle 50: sfq perturb 10
# Add prio 5 queue (default queue)
$TC class add dev $WAN parent 1:1 classid 1:60 htb rate ${UPLINK_60_R}kbit ceil ${UPLINK_60_C}kbit prio 5
$TC qdisc add dev $WAN parent 1:60 handle 60: sfq perturb 10
################### FILTERS
# CLASS 10: TCP/ACK
$TC filter add dev $WAN protocol ip parent 1: prio 1 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 \
match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid 1:10
# CLASS 20: VoIP (prio 1) (SIP/skinny packets)
$TC filter add dev $WAN parent 1: protocol ip prio 1 u32 match ip tos 0x68 0xff flowid 1:20
# CLASS 20: VoIP (prio 2) (RTP data)
$TC filter add dev $WAN parent 1: protocol ip prio 2 u32 match ip tos 0xb8 0xff flowid 1:20
# CLASS 30: IP TOS 0x10 (prio 1) (minimum delay)
$TC filter add dev $WAN parent 1: protocol ip prio 1 u32 match ip tos 0x10 0xff flowid 1:30
# CLASS 30: IP TOS 0x04 (prio 2) (maximum reliability)
$TC filter add dev $WAN parent 1: protocol ip prio 2 u32 match ip tos 0x04 0xff flowid 1:30
# CLASS 40: ICMP (prio 1)
$TC filter add dev $WAN parent 1: protocol ip prio 1 u32 match ip protocol 1 0xff flowid 1:40
# CLASS 40: DNS (prio 2)
$TC filter add dev $WAN parent 1: protocol ip prio 2 u32 match ip dport 53 0xffff flowid 1:40
# CLASS 40: Shoutcast (prio 3)
$TC filter add dev $WAN parent 1: protocol ip prio 3 u32 match ip dport 8000 0xffff flowid 1:40
# CLASS 40: IP TOS 0x02 (prio 4) (minimum cost)
$TC filter add dev $WAN parent 1: protocol ip prio 4 u32 match ip tos 0x02 0xff flowid 1:40
# High Priority
for a in $HIPRIOPORTDST
do
$TC filter add dev $WAN parent 1: protocol ip prio 5 u32 match ip dport $a 0xffff flowid 1:40
done
for a in $HIPRIOPORTSRC
do
$TC filter add dev $WAN parent 1: protocol ip prio 6 u32 match ip sport $a 0xffff flowid 1:40
done
for a in $HIPRIOHOSTSRC
do
$TC filter add dev $WAN parent 1: protocol ip prio 7 u32 match ip src $a flowid 1:40
done
for a in $HIPRIOHOSTDST
do
$TC filter add dev $WAN parent 1: protocol ip prio 8 u32 match ip dst $a flowid 1:40
done
# CLASS 40: IMAP (prio 9) (with and without SSL)
$TC filter add dev $WAN parent 1: protocol ip prio 9 u32 match ip dport 143 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 9 u32 match ip dport 220 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 9 u32 match ip dport 993 0xffff flowid 1:40
# CLASS 40: SMTP (prio 10) (with and without SSL)
$TC filter add dev $WAN parent 1: protocol ip prio 10 u32 match ip dport 25 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 10 u32 match ip dport 465 0xffff flowid 1:40
# CLASS 40: POP (prio 11) (with and without SSL)
$TC filter add dev $WAN parent 1: protocol ip prio 11 u32 match ip dport 106 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 11 u32 match ip dport 109 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 11 u32 match ip dport 110 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 11 u32 match ip dport 995 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 11 u32 match ip dport 1109 0xffff flowid 1:40
# CLASS 40: HTTP (prio 12) (with and without SSL)
$TC filter add dev $WAN parent 1: protocol ip prio 12 u32 match ip dport 80 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 12 u32 match ip dport 443 0xffff flowid 1:40
# CLASS 40: FTP (prio 13) (with and without SSL)
$TC filter add dev $WAN parent 1: protocol ip prio 13 u32 match ip dport 20 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 13 u32 match ip dport 21 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 13 u32 match ip dport 115 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 13 u32 match ip dport 2431 0xffff flowid 1:40
$TC filter add dev $WAN parent 1: protocol ip prio 13 u32 match ip dport 2433 0xffff flowid 1:40
# CLASS 40: SSH (prio 14) (without tos bit set, caters for buggy clients like PuTTY and ssh.com windows client)
$TC filter add dev $WAN parent 1: protocol ip prio 14 u32 match ip dport 22 0xffff mat ip tos 0x00 0xff flowid 1:40
# CLASS 40: IP TOS 0x08 (prio 15) (maximum throughput)
$TC filter add dev $WAN parent 1: protocol ip prio 15 u32 match ip tos 0x08 0xff flowid 1:40
# CLASS 50:
# Low Priority
for a in $NOPRIOPORTDST
do
$TC filter add dev $WAN parent 1: protocol ip prio 1 u32 match ip dport $a 0xffff flowid 1:50
done
for a in $NOPRIOPORTSRC
do
$TC filter add dev $WAN parent 1: protocol ip prio 2 u32 match ip sport $a 0xffff flowid 1:50
done
for a in $NOPRIOHOSTSRC
do
$TC filter add dev $WAN parent 1: protocol ip prio 3 u32 match ip src $a flowid 1:50
done
for a in $NOPRIOHOSTDST
do
$TC filter add dev $WAN parent 1: protocol ip prio 4 u32 match ip dst $a flowid 1:50
done
# CLASS 60: rest
$TC filter add dev $WAN parent 1: protocol ip prio 1 u32 match ip dst 0.0.0.0/0 flowid 1:60
########## Downlink #############
# slow downloads down to somewhat less than the real speed to prevent
# queuing at our ISP. Tune to see how high you can set it.
# ISPs tend to have *huge* queues to make sure big downloads are fast
#
# attach ingress policer:
$TC qdisc add dev $WAN handle ffff: ingress
# filter *everything* to it (0.0.0.0/0), drop everything that's
# coming in too fast:
$TC filter add dev $WAN parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1
fi
echo
O que são sistemas embarcados:
http://pt.wikipedia.org/wiki/Sistemas_embarcados
http://en.wikipedia.org/wiki/Embedded_system