Configuration

fwrtc basically exists of two files:

• the script itself /etc/hotplug.d/net/10-fwrtc
• a configuration file /etc/fwrtc.conf

It should not be necessary to touch the hotplug script, so adjusting the configuration values should be enough to complete the first part of the setup process.

The second part consists of defining iptables rules for classifying traffic. fwrtc provides three tc-filters (one for each class), matching different firewall marks (see the MARK target of iptables).

See the example below to gather some inspiration on how to actually implementing the rules:

[label=sample set of iptables rules for fwrtc]
iptables -t mangle -A POSTROUTING -o eth0 -j tc

### match ip tos Minimum-Delay
iptables -t mangle -A tc -m tos --tos 0x10 -j MARK --set-mark 0x1
iptables -t mangle -A tc -m tos --tos 0x10 -j RETURN

## fish out tcp syn, syn-ack and ack packets (no piggyback!)
iptables -t mangle -A tc -p tcp -m length --length 44:84 \
        --tcp-flags SYN,FIN,RST SYN -j MARK --set-mark 0x1
iptables -t mangle -A tc -p tcp -m length --length 44:84 \
	--tcp-flags SYN,FIN,RST SYN -j RETURN
iptables -t mangle -A tc -p tcp -m length --length 44:84 \
        --tcp-flags SYN,ACK,FIN,RST ACK -j MARK --set-mark 0x1
iptables -t mangle -A tc -p tcp -m length --length 44:84 \
	--tcp-flags SYN,ACK,FIN,RST ACK -j RETURN

### prioritize icmp packets
iptables -t mangle -A tc -p icmp -j MARK --set-mark 0x1
iptables -t mangle -A tc -p icmp -j RETURN

### dns traffic
iptables -t mangle -A tc -p tcp --dport 53 -j MARK --set-mark 0x1
iptables -t mangle -A tc -p tcp --dport 53 -j RETURN
iptables -t mangle -A tc -p udp --dport 53 -j MARK --set-mark 0x1
iptables -t mangle -A tc -p udp --dport 53 -j RETURN

### games
iptables -t mangle -A tc -m layer7 --l7proto quake-halflife -j MARK --set-mark 0x1
iptables -t mangle -A tc -m layer7 --l7proto quake-halflife -j RETURN
iptables -t mangle -A tc -m layer7 --l7proto battlefield1942 -j MARK --set-mark 0x1
iptables -t mangle -A tc -m layer7 --l7proto battlefield1942 -j RETURN
iptables -t mangle -A tc -m layer7 --l7proto battlefield2 -j MARK --set-mark 0x1
iptables -t mangle -A tc -m layer7 --l7proto battlefield2 -j RETURN

### voip
iptables -t mangle -A tc -m layer7 --l7proto sip -j MARK --set-mark 0x1
iptables -t mangle -A tc -m layer7 --l7proto sip -j RETURN
iptables -t mangle -A tc -m layer7 --l7proto rtp -j MARK --set-mark 0x1
iptables -t mangle -A tc -m layer7 --l7proto rtp -j RETURN
iptables -t mangle -A tc -m layer7 --l7proto skypetoskype -j MARK --set-mark 0x1
iptables -t mangle -A tc -m layer7 --l7proto skypetoskype -j RETURN

### crappy p2p traffic
iptables -t mangle -A tc -m layer7 --l7proto bittorrent -j MARK --set-mark 0x3
iptables -t mangle -A tc -m layer7 --l7proto bittorrent -j RETURN
iptables -t mangle -A tc -m layer7 --l7proto edonkey -j MARK --set-mark 0x3
iptables -t mangle -A tc -m layer7 --l7proto edonkey -j RETURN
iptables -t mangle -A tc -m layer7 --l7proto fasttrack -j MARK --set-mark 0x3
iptables -t mangle -A tc -m layer7 --l7proto fasttrack -j RETURN
iptables -t mangle -A tc -m layer7 --l7proto gnutella -j MARK --set-mark 0x3
iptables -t mangle -A tc -m layer7 --l7proto gnutella -j RETURN
iptables -t mangle -A tc -m layer7 --l7proto napster -j MARK --set-mark 0x3
iptables -t mangle -A tc -m layer7 --l7proto napster -j RETURN