This is an example of a simple Linux IP Tables based router script that logs traffic This is an example of a script that uses wondershaper to limit bandwidth consumption#!/bin/sh PATH=/usr/sbin:/sbin:/bin:/usr/bin INTIF0=eth1 INTIF1=eth1:0 INTIF2=eth1:1 EXTIF=eth0 # # delete all existing rules. # iptables -F iptables -t nat -F iptables -t mangle -F iptables -X # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j LOG --log-level 4 --log-prefix 'IPTAllowIN ' iptables -A OUTPUT -j LOG --log-level 4 --log-prefix 'IPTAllowOUT ' iptables -A FORWARD -j LOG --log-level 4 --log-prefix 'IPTAllowFWD ' # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW ! -i $EXTIF -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the LAN side. iptables -A FORWARD -i $INTIF0 -o $EXTIF -j ACCEPT iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # Don't forward from the outside to the inside. iptables -A FORWARD -i $EXTIF -o $EXTIF -j REJECT # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward #!/bin/bash /usr/sbin/wondershaper clean eth1;/usr/sbin/wondershaper eth1 20000 50000 /usr/sbin/wondershaper clean eth0;/usr/sbin/wondershaper eth0 20000 50000 #See also https://www.iplocation.net/traffic-control # See: http://lartc.org/howto/ for lots of detail #!/bin/bash echo 0 > /proc/sys/net/ipv4/ip_forward #Start out with no forwarding, lest a hacker notice the moment I've got no firewall. eWAN=eth0 eLAN=eth1 iT=/sbin/iptables debug="set" debug="" if [ -n "$debug" ];then echo "clean up existing rules to ensure a clean slate.";fi if [ -n "$debug" ];then echo "flush existing rules";fi ${iT} -t filter -F ${iT} -t nat -F ${iT} -t mangle -F if [ -n "$debug" ];then echo "delete custom chains.";fi ${iT} -X if [ -n "$debug" ];then echo "set default policies.";fi ${iT} -P INPUT ACCEPT ${iT} -P FORWARD ACCEPT ${iT} -P OUTPUT ACCEPT if [ -n "$debug" ];then echo "allow related and established to continue";fi ${iT} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT if [ -n "$debug" ];then echo "enable ip masquerade for Internet interface.";fi ${iT} -t nat -A POSTROUTING -o $eWAN -j MASQUERADE #For OPENDNS forced ${iT} -t nat -I PREROUTING -i ${eLAN} -p udp --dport 53 -j DNAT --to 172.16.1.1 ${iT} -t nat -I PREROUTING -i ${eLAN} -p tcp --dport 53 -j DNAT --to 172.16.1.1 echo "nameserver 208.67.222.222" > /etc/resolv.conf echo "nameserver 208.67.220.220" >> /etc/resolv.conf echo 1 > /proc/sys/net/ipv4/ip_forward |