This is an old revision of the document!
Traffic control using Iptables/Netfilter
Netfilter rules
# --- Traffic control --- iptables -t mangle -F iptables -t mangle -X iptables -t mangle -N IN-LAN iptables -t mangle -N OUT-LAN iptables -t mangle -N IN-INTERNET iptables -t mangle -N OUT-INTERNET iptables -t mangle -I PREROUTING -m mark ! --mark 105 -j IN-INTERNET iptables -t mangle -I POSTROUTING -m mark ! --mark 105 -j OUT-INTERNET iptables -t mangle -I PREROUTING -s 192.168.0.0/16 -j MARK --set-mark 105 iptables -t mangle -I POSTROUTING -d 192.168.0.0/16 -j MARK --set-mark 105 iptables -t mangle -I PREROUTING -s 127.0.0.0/8 -j MARK --set-mark 105 iptables -t mangle -I POSTROUTING -d 127.0.0.0/8 -j MARK --set-mark 105 iptables -t mangle -I PREROUTING -s 169.0.0.0/8 -j MARK --set-mark 105 iptables -t mangle -I POSTROUTING -d 169.0.0.0/8 -j MARK --set-mark 105 iptables -t mangle -I PREROUTING -s 172.0.0.0/8 -j MARK --set-mark 105 iptables -t mangle -I POSTROUTING -d 172.0.0.0/8 -j MARK --set-mark 105 iptables -t mangle -I PREROUTING -s 192.168.0.0/16 -j IN-LAN iptables -t mangle -I POSTROUTING -d 192.168.0.0/16 -j OUT-LAN iptables -t mangle -A IN-LAN -s 0/0 iptables -t mangle -A OUT-LAN -d 0/0 iptables -t mangle -A IN-INTERNET -s 0/0 iptables -t mangle -A OUT-INTERNET -d 0/0
Monitor
sudo iptables -t mangle -L -v | sed -n '/Chain IN-INTERNET/N ; //N ; //p' | tail -n1 | sed 's~ *[^ ]\+ *\([^ ]\+\).*~\1~' sudo iptables -t mangle -L -v | sed -n '/Chain OUT-INTERNET/N ; //N ; //p' | tail -n1 | sed 's~ *[^ ]\+ *\([^ ]\+\).*~\1~'