NB! Шейпер нифига не работает как задумано (то есть, шейпит на 100кбит по всем направлениям без исключения).
root@OpenWrt-Donetsk:~# cat /root/firewall.qos.2
#!/bin/sh
# opkg install kmod-sched tc ip iptables-mod-ipopt kmod-ipt-ipopt
DEV1="br-lan"
DEV2="eth0.1"
RATEUP=4950
RATEUPMAX=10000
RATEUPMIN=100
rmmod sch_htb
rmmod sch_sfq
rmmod cls_fw
insmod sch_htb
insmod sch_sfq
insmod cls_fw
tc qdisc del dev $DEV1 root
tc qdisc del dev $DEV2 root
iptables -t mangle -F SHAPER-OUT
iptables -t mangle -F SHAPER-IN
iptables -F
iptables -t nat -F
#set up new rules, tables and chains
#ip link set dev $DEV1 qlen 30
#ip link set dev $DEV1 mtu 1000
#ip link set dev $DEV2 qlen 30
#ip link set dev $DEV2 mtu 1000
tc qdisc add dev $DEV1 root handle 1:0 htb default 12
tc class add dev $DEV1 parent 1:0 classid 1:1 htb rate ${RATEUPMAX}kbit
tc class add dev $DEV1 parent 1:1 classid 1:10 htb rate ${RATEUP}kbit ceil ${RATEUPMAX}kbit prio 0
tc class add dev $DEV1 parent 1:1 classid 1:11 htb rate ${RATEUP}kbit ceil ${RATEUPMAX}kbit prio 1
tc class add dev $DEV1 parent 1:1 classid 1:12 htb rate ${RATEUPMIN}kbit ceil ${RATEUPMIN}kbit prio 7
tc qdisc add dev $DEV1 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $DEV1 parent 1:11 handle 11: sfq perturb 10
tc qdisc add dev $DEV1 parent 1:12 handle 12: sfq perturb 10
tc filter add dev $DEV1 parent 1:0 prio 0 protocol ip handle 10 fw classid 1:10
tc filter add dev $DEV1 parent 1:0 prio 0 protocol ip handle 11 fw classid 1:11
tc filter add dev $DEV1 parent 1:0 prio 0 protocol ip handle 12 fw classid 1:12
tc qdisc add dev $DEV2 root handle 2:0 htb default 22
tc class add dev $DEV2 parent 2:0 classid 2:1 htb rate ${RATEUPMAX}kbit
tc class add dev $DEV2 parent 2:1 classid 2:20 htb rate ${RATEUP}kbit ceil ${RATEUPMAX}kbit prio 0
tc class add dev $DEV2 parent 2:1 classid 2:21 htb rate ${RATEUP}kbit ceil ${RATEUPMAX}kbit prio 1
tc class add dev $DEV2 parent 2:1 classid 2:22 htb rate ${RATEUPMIN}kbit ceil ${RATEUPMIN}kbit prio 7
tc qdisc add dev $DEV2 parent 2:20 handle 20: sfq perturb 10
tc qdisc add dev $DEV2 parent 2:21 handle 21: sfq perturb 10
tc qdisc add dev $DEV2 parent 2:22 handle 22: sfq perturb 10
tc filter add dev $DEV2 parent 2:0 prio 0 protocol ip handle 20 fw classid 2:20
tc filter add dev $DEV2 parent 2:0 prio 0 protocol ip handle 21 fw classid 2:21
tc filter add dev $DEV2 parent 2:0 prio 0 protocol ip handle 22 fw classid 2:22
iptables -t mangle -N SHAPER-OUT
iptables -t mangle -N SHAPER-IN
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -t mangle -I POSTROUTING -o $DEV2 -j SHAPER-OUT
iptables -t mangle -I POSTROUTING -o $DEV1 -j SHAPER-IN
# shaper OUT
iptables -t mangle -A SHAPER-OUT -o $DEV2 -p tcp --dport 2222 -j MARK --set-mark 20
iptables -t mangle -A SHAPER-OUT -o $DEV2 -p udp --dport 53 -j MARK --set-mark 20
iptables -t mangle -A SHAPER-OUT -o $DEV2 -p tcp --dport 5938 -j MARK --set-mark 21
iptables -t mangle -A SHAPER-OUT -o $DEV2 -d 100.100.232.0/23 -j MARK --set-mark 20
iptables -t mangle -A SHAPER-OUT -o $DEV2 -d 100.40.42.166 -j MARK --set-mark 20
iptables -t mangle -A SHAPER-OUT -o $DEV2 -j MARK --set-mark 22
#shaper IN
iptables -t mangle -A SHAPER-IN -o $DEV1 -p tcp --sport 5938 -j MARK --set-mark 11
iptables -t mangle -A SHAPER-IN -o $DEV1 -s 100.100.232.0/23 -j MARK --set-mark 10
iptables -t mangle -A SHAPER-IN -o $DEV1 -s 100.40.42.166 -j MARK --set-mark 10
iptables -t mangle -A SHAPER-IN -o $DEV1 -j MARK --set-mark 12
# input rules
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 2222 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth0.1 -p icmp --icmp-type 8 -j REJECT --reject-with proto-unreach
iptables -A INPUT -i eth0.1 -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i eth0.1 -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp --icmp-type 8 -j REJECT --reject-with proto-unreach
iptables -A INPUT -i ppp0 -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i eth0.1 -j DROP
iptables -A INPUT -i ppp0 -j DROP
iptables -t nat -A POSTROUTING -o eth0.1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE