#!/bin/bash 

# rc.qos-inet 
# By Champ Clark [champ at softwink.com]
# Softwink, Inc [800-538-9357 ext 101]

# This is for the _Internet_ side of things.  Technically, there is only
# so much we can do.   Routers on the Internet typically don't honor
# QoS.  We can do a couple of thing to help out our situation.

IPT="/usr/sbin/iptables"

# This is our upload/download speed in kbit's.  You usually want to 
# set this a little under the actually speed (%5 or so).  This way, 
# you don't over saturate the line. 

DOWNLINK=710     
UPLINK=710

# We want these ports to have priority over any/all ports! These
# connect our remote offices via OpenVPN!

VPNPORTS="5000 5001 2011 2005"  # These ports will get priority!

DEV=pvc0 	# Device that connects us to the Internet

# Cleanup.
tc qdisc del dev $DEV root    2> /dev/null > /dev/null
tc qdisc del dev $DEV ingress 2> /dev/null > /dev/null

# Upstream traffic....
tc qdisc add dev $DEV root handle 1: htb default 20
tc class add dev $DEV parent 1: classid 1:1 htb rate ${UPLINK}kbit burst 6k

# VoIP/VPN stuff will go here
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${UPLINK}kbit \
   burst 6k prio 1

# Everything else,  will go here. 
tc class add dev $DEV parent 1:1 classid 1:20 htb rate $[9*$UPLINK/10]kbit \
   burst 6k prio 2

# But share,  when you can.
tc qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10

# We only do OUTPUT,  since that's all we need. 
for I in $VPNPORTS
do
$IPT -A OUTPUT -t mangle -p tcp --dport $I -j TOS --set-tos Minimize-Delay
done

# TOS Minimum Delay - SSH (autoset) and VPN traffic.
tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
      match ip tos 0x10 0xff  flowid 1:10

tc filter add dev $DEV parent 1:0 protocol ip prio 10 u32 \
        match ip protocol 1 0xff flowid 1:10

# To speed up downloads while an upload is going on, put ACK packets in
# the interactive class:

tc filter add dev $DEV parent 1: protocol ip prio 10 u32 \
   match ip protocol 6 0xff \
   match u8 0x05 0x0f at 0 \
   match u16 0x0000 0xffc0 at 2 \
   match u8 0x10 0xff at 33 \
   flowid 1:10

# ------ Limit inbound/ingree traffic as much as possible --------

tc qdisc add dev $DEV handle ffff: ingress

# filter *everything* to it (0.0.0.0/0), drop everything that's
# coming in too fast:

tc filter add dev $DEV parent ffff: protocol ip prio 50 u32 match ip src \
   0.0.0.0/0 police rate ${DOWNLINK}kbit burst 10k drop flowid :1