Home
If the default directory values and configuration file names are suitable for you:
curl -sS https://raw.githubusercontent.com/darton/fw/master/install.sh | bashIf you want to change the configuration before installation:
wget https://raw.githubusercontent.com/darton/fw/master/install.shAfter making changes:
bash ./install.shfw.shUsage: fw.sh start|stop|restart|reload|stats|lmsd|qos|status|maintenance-on|maintenance-off
Necessary configuration files for the script (default is empty):
Contains a list of hosts IPs in the format: "grantedhost|deniedhost|warnedhost ip_address".
grantedhost 192.168.102.101
grantedhost 192.168.102.105
deniedhost 192.168.102.105
Such a file can be generated by a properly configured LMS using an LMSD instance named hostfile.
Contains a list of hosts with private IP addresses NAT’ed 1-1 to public addresses in the format: "grantedhost|deniedhost|warnedhost private_ip_address public_ip_address".
Such a file can be generated by a properly configured LMS using an LMSD instance named hostfile.
Contains a list in the format: "ip_list_filename public_ip_address", describing the links between files with private IP addresses and corresponding public IP addresses to which they will be NATed. The name "ip_list_filename" is also the name of the ipset list created based on the IP addresses in this file.
If we have many IP addresses to be NATed in a one-to-many manner, we create separate files for them, e.g., fw_nat_ip1, fw_nat_ip2, fw_nat_ip3, fw_nat_ip4, etc. Each file contains a list of host IP addresses with their statuses (denied|granted). The fw_nat_1-n file records the links between these files and the IP addresses to which the NATing will occur.
Example contents of the fw_nat_1-n file:
fw_nat_ip1 172.16.0.1
fw_nat_ip2 172.16.0.111
fw_nat_ip3 172.16.0.222
fw_nat_ip4 172.16.0.253
Then, all IP addresses contained in the fw_nat_ip1 file will be NATed to the address 172.16.0.1, and all IP addresses in the fw_nat_ip2 file will be NATed to the IP address 172.16.0.111, and so on.
Such a file can be generated by a properly configured LMS using an LMSD instance named hostfile.
Files with IP addresses to be NATed to one specific IP address. Example contents:
grantedhost 192.168.102.96
deniedhost 192.168.102.99
The file names can be arbitrary, they just need to be consistent with what is in the fw_nat_1-n file. The example describes the configured names shown in the screenshots.
Such files can be generated by a properly configured LMS using an LMSD instance named hostfile.
Used to maintain a registry of networks and gateway IP addresses to which these networks should be routed in the format: network/prefix gateway_ip_address. Example contents:
172.16.0.128/30 172.16.1.7
172.16.1.128/30 172.16.1.8
172.16.3.128/30 172.16.1.9
Such a file can be generated by a properly configured LMS using an LMSD instance named hostfile.
Contains a list of TCP/IP ports in the format: port_number.
Such a file can be generated by a properly configured LMS using an LMSD instance named hostfile.
Contains a list of IP addresses and networks.
Such a file can be generated by a properly configured LMS using an LMSD instance named hostfile.
Contains a ready-made configuration file for the DHCP server.
Such a file can be generated by a properly configured LMS using an LMSD instance named dhcp.
Once we have the configuration files ready, we start the firewall with the command:
The fw.sh start command will start the firewall by reading the configuration parameters contained in the configuration files, restart the DHCP server, and shaper rules.
Executing fw.sh stop will stop the firewall, disable packet forwarding, and enable the default iptables policies (e.g., FORWARD DENY).
Runs fw.sh start and then ./fw stop, which removes all iptables and ipset rules and recreates them, causing all connections to be broken and a brief interruption in transmission for a few seconds.
Only changes those iptables rules that have changed: i.e., it will remove or add a specific iptables rule, or replace ipset tables. To avoid noticeable interruptions in packet transmission for all users, it is recommended to use the reload option when making changes.
This module is used for cooperation with LMS (http://lms.org.pl). Our router/firewall can then work automatically.
Control of fw.sh is then done from the LMS level. fw.sh will check if the operator has set the reload status of a given host in LMS and will perform a reload or restart depending on which configuration files and what has changed in them. If the files have not changed, and the reload status has been set in LMS, the script will detect it, change the reload status in LMS to done, but will not perform a restart/reload, just save the information in the logs.
After installation, ./fw.sh lmsd is run every minute by cron.
Running fw.sh with the lmsd module requires proper LMS configuration so that LMS generates configuration files for fw.sh in the appropriate format and allows controlling the operation of fw.sh from the LMS level.
This option is useful if we have configured LMS in such a way that computers have been assigned tariffs. The script also supports a night tariff (shaper_restart option). The operation of the Shaper is optimized for large numbers of computers and tariffs.
Stops the Shaper.
Starts the Shaper.
Downloads the Shaper configuration file from the remote server (LMS) and then stops and restarts the Shaper with the new configuration.
To adjust the settings of the tasks performed by the Shaper module in cron to your needs, you need to edit the fw_cron function in the fwfunction file, and if the script is already running (started in production), also the /etc/cron.d/fw_sh file.
Default values set for the fw_cron function:
Scheduling the script ./fw.sh with the shaper_restart option for the night tariff from 22:00 to 10:00:
00 22 * * * /opt/gateway/scripts/fw.sh shaper_restart
00 10 * * * /opt/gateway/scripts/fw.sh shaper_restart
The format of the configuration file for the Shaper module, whose name is specified in the shaper_file variable in the fw.conf file:
The file must begin with the declaration of the following parameters. If these parameters are not provided, the default parameters specified in the fw.conf file will be used.
ISP_RX_LIMIT=470000kbit
ISP_TX_LIMIT=470000kbit
GW_TO_LAN_RATE_LIMIT=100kbit
GW_TO_LAN_CEIL_LIMIT=200000kbit
GW_TO_WAN_RATE_LIMIT=100kbit
GW_TO_WAN_CEIL_LIMIT=50000kbit
LAN_UNCLASSIFIED_RATE_LIMIT=16kbit
LAN_UNCLASSIFIED_CEIL_LIMIT=128kbit
WAN_UNCLASSIFIED_RATE_LIMIT=16kbit
WAN_UNCLASSIFIED_CEIL_LIMIT=128kbit
GW_TO_LAN_PRIORITY=2
GW_TO_WAN_PRIORITY=2
LAN_UNCLASSIFIED_PRIORITY=7
WAN_UNCLASSIFIED_PRIORITY=7
LAN_HOSTS_PRIORITY=2
WAN_HOSTS_PRIORITY=2
- ISP_RX_LIMIT and ISP_TX_LIMIT are parameters of the access link to the Internet, reduced by about 5-10% to avoid filling the operator's modem queue.
-
GW_TO_LAN_RATE_LIMIT is the guaranteed rate for outbound traffic to the LAN from the Gateway where the
fw.shscript runs. -
GW_TO_LAN_CEIL_LIMIT is the ceiling limit for outbound traffic to the LAN from the Gateway where the
fw.shscript runs. -
GW_TO_WAN_RATE_LIMIT is the guaranteed rate for outbound traffic to the WAN from the Gateway where the
fw.shscript runs. -
GW_TO_WAN_CEIL_LIMIT is the ceiling limit for outbound traffic to the WAN from the Gateway where the
fw.shscript runs. - LAN_UNCLASSIFIED_RATE_LIMIT is the guaranteed rate for unclassified outbound traffic to the LAN, i.e., computers/devices not included in the Shaper module configuration file.
- LAN_UNCLASSIFIED_CEIL_LIMIT is the ceiling limit for unclassified outbound traffic to the LAN, i.e., computers/devices not included in the Shaper module configuration file.
- WAN_UNCLASSIFIED_RATE_LIMIT is the guaranteed rate for unclassified outbound traffic to the WAN, i.e., computers/devices not included in the Shaper module configuration file.
- WAN_UNCLASSIFIED_CEIL_LIMIT is the ceiling limit for unclassified outbound traffic to the WAN, i.e., computers/devices not included in the Shaper module configuration file.
Priority is set on a scale from 1 to 7, where 1 represents the highest priority and 7 the lowest for the following groups:
- GW_TO_LAN_PRIORITY - priority for packets sent from the GW to the LAN.
- GW_TO_WAN_PRIORITY - priority for packets sent from the GW to the WAN.
- LAN_UNCLASSIFIED_PRIORITY - priority for unclassified packets sent to the LAN.
- WAN_UNCLASSIFIED_PRIORITY - priority for unclassified packets sent to the WAN.
- LAN_HOSTS_PRIORITY - priority for packets sent to the LAN, directed to hosts managed by the Shaper module.
- WAN_HOSTS_PRIORITY - priority for packets sent to the WAN, directed from hosts managed by the Shaper module.
Then, for each host, the parameters of the UP/DOWN HTB classes should be specified, with several hosts potentially assigned to one pair of HTB classes.
Example configuration for one host assigned to one pair of UP/DOWN classes:
# Client computers configuration
customer 1
class_up 8kbit 1024kbit
class_down 8kbit 5120kbit
filter 192.168.101.24
For several hosts assigned to a pair of classes:
customer 2
class_up 8kbit 1024kbit
class_down 8kbit 5120kbit
filter 192.168.10.24
filter 192.168.10.25
filter 192.168.10.26
A customer can have several tariffs (several service agreements) with different computers assigned. For each tariff, an appropriate set of records must be generated. For example, if customer ID 1 has two additional agreements/tariffs with one modem/computer each, the following records should be added:
customer 1
class_up 8kbit 1024kbit
class_down 8kbit 5120kbit
filter 192.168.101.30
customer 1
class_up 8kbit 1024kbit
class_down 8kbit 5120kbit
filter 192.168.101.34
The # symbol denotes a comment and is not parsed by the Shaper module. The number after customer represents the unique customer ID in LMS.
The expressions class_up and class_down have the parameters rate and ceil, where RATE is the minimum guaranteed speed, and CEIL is the maximum non-guaranteed speed.
The filter expression takes the IP address of the host the configuration applies to.
Such a file can be generated by a properly configured LMS using an LMSD instance named tc-new.
This option of the Shaper module provides detailed statistics for each host by reading iptables counters.
If we want to import our customers' traffic statistics into LMS, we need to periodically (e.g., every 5 minutes) run a script on the LMS machine to save the statistics to the LMS database. It must be the same interval set in the phpui LMS parameter stat_freq. For example, if we choose to run it every 5 minutes, then stat_freq=300 (seconds).
The script should contain two commands:
ssh -p 222 root@192.168.100.1 '/opt/gateway/scripts/fw.sh stats' > /var/log/traffic.log
bash /var/www/html/lms/bin/lms-traffic
where 192.168.100.1 is the IP address of our router running
The first command remotely runs the fw.sh script with the stats module, which reads the data counters for all hosts and saves them to a file. The second command runs the script that reads the /var/log/traffic.log file and imports the values into the stats table in the LMS database.
In this mode, it disables the firewall, cron jobs, DHCP server, LAN and WAN interfaces, and brings up the interface defined as MGMT (management) and runs the DHCP client on it.
Executing this command returns to normal operation mode.
