Sign up with Googleloosecannon
Senior Member
- Joined
- Jul 27, 2004
- Messages
- 731
this is not a ideal situation but as sentech are not supplying a adequate service here are some steps you can take to improve over all access ...
ok here is somthing i have implemented on my network and it works quite well allows p2p at the lightning quick pace they provide intl BW and browsing is more bursty ...so overall feel is improved ...
1)Linux 2.6.8.1 Kernel Source
2)Iptables 1.2.11 (compile and install setting KERNEL_DIR)
3)iproute2 (ip/tc utilities) with HTB patch (bitch to get going)
4)linux kernel IMQ patch and iptables IMQ patch
5)in ip-up script setup 3 streams of traffic shaping ... 20%/30%/50% of traffic the first rule allows 100% and system traffic can be short circited onto 1:10 to have 100%priority also note this limits your line to 64kbs ...
6)the GUI in cannonball linux can now do this for internal services as well as local/nat connections ...
taking this a step further you could allocate pools of BW on the internal interface with priorities and have some PC's have a higher priority BW than others and be able to contend BW between pools
/sbin/ip link set imq0 up
/sbin/tc qdisc add dev imq0 root handle 1: htb default 1
/sbin/tc class add dev imq0 parent 1: classid 1:1 htb rate 64Kbit
/sbin/tc class add dev imq0 parent 1:1 classid 1:10 htb rate 64Kbit ceil 64Kbit prio 0
/sbin/tc class add dev imq0 parent 1:1 classid 1:20 htb rate 32Kbit ceil 64Kbit prio 1
/sbin/tc class add dev imq0 parent 1:1 classid 1:30 htb rate 19.2Kbit ceil 64Kbit prio 2
/sbin/tc class add dev imq0 parent 1:1 classid 1:40 htb rate 12.8Kbit ceil 64Kbit prio 3
/sbin/tc qdisc add dev imq0 parent 1:10 handle 10: sfq perturb 10
/sbin/tc qdisc add dev imq0 parent 1:20 handle 20: sfq perturb 10
/sbin/tc qdisc add dev imq0 parent 1:30 handle 30: sfq perturb 10
/sbin/tc qdisc add dev imq0 parent 1:40 handle 40: sfq perturb 10
/sbin/tc filter add dev imq0 parent 1: prio 0 protocol ip handle 0x100 fw flowid 1:10
/sbin/tc filter add dev imq0 parent 1: prio 1 protocol ip handle 0x101 fw flowid 1:20
/sbin/tc filter add dev imq0 parent 1: prio 2 protocol ip handle 0x102 fw flowid 1:30
/sbin/tc filter add dev imq0 parent 1: prio 3 protocol ip handle 0x103 fw flowid 1:40
INT_NAME=$1
#Apply egress limit
/sbin/tc qdisc add dev $INT_NAME root handle 1: htb default 1
/sbin/tc class add dev $INT_NAME parent 1: classid 1:1 htb rate 64Kbit
/sbin/tc class add dev $INT_NAME parent 1:1 classid 1:10 htb rate 64Kbit ceil 64Kbit prio 0
/sbin/tc class add dev $INT_NAME parent 1:1 classid 1:20 htb rate 32Kbit ceil 64Kbit prio 1
/sbin/tc class add dev $INT_NAME parent 1:1 classid 1:30 htb rate 19.2Kbit ceil 64Kbit prio 2
/sbin/tc class add dev $INT_NAME parent 1:1 classid 1:40 htb rate 12.8Kbit ceil 64Kbit prio 3
/sbin/tc qdisc add dev $INT_NAME parent 1:10 handle 10: sfq perturb 10
/sbin/tc qdisc add dev $INT_NAME parent 1:20 handle 20: sfq perturb 10
/sbin/tc qdisc add dev $INT_NAME parent 1:30 handle 30: sfq perturb 10
/sbin/tc qdisc add dev $INT_NAME parent 1:40 handle 40: sfq perturb 10
now with iptables set up rules to map traffic onto these streams ...
bellow is for incoming traffic
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x103 -m state --state NEW,ESTABLISHED -i eth0 -s 10.10.255.0/24 --sport 1024:65535 -d 0/0 --dport 1024:65535
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x103 ! --syn -m state --state ESTABLISHED $INT_IN-d $EXT_IP --dport 1024:65535 -s 0/0 --sport 1024:65535
/sbin/iptables -t mangle -A LOCALIN -j MARK -p udp -m mark --mark 0x0 --set-mark 0x103 -m state --state NEW,ESTABLISHED -i eth0 -s 10.10.255.0/24 --sport 1024:65535 -d 0/0 --dport 1024:65535
/sbin/iptables -t mangle -A LOCALIN -j MARK -p udp -m mark --mark 0x0 --set-mark 0x103 -m state --state ESTABLISHED $INT_IN-d $EXT_IP --dport 1024:65535 -s 0/0 --sport 1024:65535
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i eth0 -s 10.10.255.0/24 --sport 0:65535 -d 10.10.255.1/32 --dport 22
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i eth0 -s 10.10.255.0/24 --sport 0:65535 -d 0/0 --dport 22
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 ! --syn -m state --state ESTABLISHED $INT_IN-d $EXT_IP --dport 0:65535 -s 0/0 --sport 22
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i eth0 -s 10.10.255.0/24 --sport 1024:65535 -d 0/0 --dport 666
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 ! --syn -m state --state ESTABLISHED $INT_IN-d $EXT_IP --dport 1024:65535 -s 0/0 --sport 666
/sbin/iptables -t mangle -A LOCALIN -j MARK -p udp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i ppp+ -s 0/0 --sport 1024:65535 -d 0/0 --dport 53
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i ppp+ -s 0/0 --sport 1024:65535 -d 0/0 --dport 53
/sbin/iptables -t mangle -A LOCALIN -j MARK -p udp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i ppp+ -s 0/0 --sport 53 -d 0/0 --dport 53
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i ppp+ -s 0/0 --sport 1024:65535 -d 0/0 --dport 666
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x102 -m state --state NEW,ESTABLISHED -i ppp+ -s 0/0 --sport 1024:65535 -d 0/0 --dport 21
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x103 ! --syn -m state --state ESTABLISHED -i ppp+ -s 0/0 --sport 1024:65535 -d 0/0 --dport 20
outgoing traffic is more complex as other rules in postrouting must be setup first ...
/sbin/iptables -t mangle -A POSTROUTING -j MARK --set-mark 0x100
/sbin/iptables -t mangle -A POSTROUTING -j SYSEGRESS
/sbin/iptables -t mangle -A POSTROUTING -j LOCALOUT -m mark --mark 0x100
/sbin/iptables -t mangle -A POSTROUTING -j CLASSIFY -m mark --mark 0x100 --set-class 1:10
/sbin/iptables -t mangle -A POSTROUTING -j CLASSIFY -m mark --mark 0x101 --set-class 1:20
/sbin/iptables -t mangle -A POSTROUTING -j CLASSIFY -m mark --mark 0x102 --set-class 1:30
/sbin/iptables -t mangle -A POSTROUTING -j CLASSIFY -m mark --mark 0x103 --set-class 1:40
---------------
/sbin/iptables -t mangle -F LOCALOUT
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x103 ! --syn -m state --state ESTABLISHED -o eth0 -d 10.10.255.0/24 --dport 1024:65535 -s 0/0 --sport 1024:65535
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x103 ! --syn -m state --state ESTABLISHED $INT_OUT-s $EXT_IP --sport 1024:65535 -d 0/0 --dport 1024:65535
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p udp -m mark --mark 0x100 --set-mark 0x103 -m state --state ESTABLISHED -o eth0 -d 10.10.255.0/24 --dport 1024:65535 -s 0/0 --sport 1024:65535
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p udp -m mark --mark 0x0 --set-mark 0x103 -m state --state ESTABLISHED $INT_OUT-s $EXT_IP --sport 1024:65535 -d 0/0 --dport 1024:65535
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x101 ! --syn -m state --state ESTABLISHED -o eth0 -d 10.10.255.0/24 --dport 0:65535 -s 10.10.255.1/32 --sport 22
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x101 ! --syn -m state --state ESTABLISHED -o eth0 -d 10.10.255.0/24 --dport 0:65535 -s 0/0 --sport 22
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 ! --syn -m state --state ESTABLISHED $INT_OUT-s $EXT_IP --sport 0:65535 -d 0/0 --dport 22
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x101 ! --syn -m state --state ESTABLISHED -o eth0 -d 10.10.255.0/24 --dport 1024:65535 -s 0/0 --sport 666
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 ! --syn -m state --state ESTABLISHED $INT_OUT-s $EXT_IP --sport 1024:65535 -d 0/0 --dport 666
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p udp -m mark --mark 0x100 --set-mark 0x101 -m state --state ESTABLISHED -o ppp+ -d 0/0 --dport 1024:65535 -s 0/0 --sport 53
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x101 ! --syn -m state --state ESTABLISHED -o ppp+ -d 0/0 --dport 1024:65535 -s 0/0 --sport 53
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p udp -m mark --mark 0x100 --set-mark 0x101 -m state --state ESTABLISHED -o ppp+ -d 0/0 --dport 53 -s 0/0 --sport 53
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x101 ! --syn -m state --state ESTABLISHED -o ppp+ -d 0/0 --dport 1024:65535 -s 0/0 --sport 666
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x102 ! --syn -m state --state ESTABLISHED -o ppp+ -d 0/0 --dport 1024:65535 -s 0/0 --sport 21
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x103 -m state --state RELATED,ESTABLISHED -o ppp+ -d 0/0 --dport 1024:65535 -s 0/0 --sport 20
ok here is somthing i have implemented on my network and it works quite well allows p2p at the lightning quick pace they provide intl BW and browsing is more bursty ...so overall feel is improved ...
1)Linux 2.6.8.1 Kernel Source
2)Iptables 1.2.11 (compile and install setting KERNEL_DIR)
3)iproute2 (ip/tc utilities) with HTB patch (bitch to get going)
4)linux kernel IMQ patch and iptables IMQ patch
5)in ip-up script setup 3 streams of traffic shaping ... 20%/30%/50% of traffic the first rule allows 100% and system traffic can be short circited onto 1:10 to have 100%priority also note this limits your line to 64kbs ...
6)the GUI in cannonball linux can now do this for internal services as well as local/nat connections ...
taking this a step further you could allocate pools of BW on the internal interface with priorities and have some PC's have a higher priority BW than others and be able to contend BW between pools
/sbin/ip link set imq0 up
/sbin/tc qdisc add dev imq0 root handle 1: htb default 1
/sbin/tc class add dev imq0 parent 1: classid 1:1 htb rate 64Kbit
/sbin/tc class add dev imq0 parent 1:1 classid 1:10 htb rate 64Kbit ceil 64Kbit prio 0
/sbin/tc class add dev imq0 parent 1:1 classid 1:20 htb rate 32Kbit ceil 64Kbit prio 1
/sbin/tc class add dev imq0 parent 1:1 classid 1:30 htb rate 19.2Kbit ceil 64Kbit prio 2
/sbin/tc class add dev imq0 parent 1:1 classid 1:40 htb rate 12.8Kbit ceil 64Kbit prio 3
/sbin/tc qdisc add dev imq0 parent 1:10 handle 10: sfq perturb 10
/sbin/tc qdisc add dev imq0 parent 1:20 handle 20: sfq perturb 10
/sbin/tc qdisc add dev imq0 parent 1:30 handle 30: sfq perturb 10
/sbin/tc qdisc add dev imq0 parent 1:40 handle 40: sfq perturb 10
/sbin/tc filter add dev imq0 parent 1: prio 0 protocol ip handle 0x100 fw flowid 1:10
/sbin/tc filter add dev imq0 parent 1: prio 1 protocol ip handle 0x101 fw flowid 1:20
/sbin/tc filter add dev imq0 parent 1: prio 2 protocol ip handle 0x102 fw flowid 1:30
/sbin/tc filter add dev imq0 parent 1: prio 3 protocol ip handle 0x103 fw flowid 1:40
INT_NAME=$1
#Apply egress limit
/sbin/tc qdisc add dev $INT_NAME root handle 1: htb default 1
/sbin/tc class add dev $INT_NAME parent 1: classid 1:1 htb rate 64Kbit
/sbin/tc class add dev $INT_NAME parent 1:1 classid 1:10 htb rate 64Kbit ceil 64Kbit prio 0
/sbin/tc class add dev $INT_NAME parent 1:1 classid 1:20 htb rate 32Kbit ceil 64Kbit prio 1
/sbin/tc class add dev $INT_NAME parent 1:1 classid 1:30 htb rate 19.2Kbit ceil 64Kbit prio 2
/sbin/tc class add dev $INT_NAME parent 1:1 classid 1:40 htb rate 12.8Kbit ceil 64Kbit prio 3
/sbin/tc qdisc add dev $INT_NAME parent 1:10 handle 10: sfq perturb 10
/sbin/tc qdisc add dev $INT_NAME parent 1:20 handle 20: sfq perturb 10
/sbin/tc qdisc add dev $INT_NAME parent 1:30 handle 30: sfq perturb 10
/sbin/tc qdisc add dev $INT_NAME parent 1:40 handle 40: sfq perturb 10
now with iptables set up rules to map traffic onto these streams ...
bellow is for incoming traffic
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x103 -m state --state NEW,ESTABLISHED -i eth0 -s 10.10.255.0/24 --sport 1024:65535 -d 0/0 --dport 1024:65535
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x103 ! --syn -m state --state ESTABLISHED $INT_IN-d $EXT_IP --dport 1024:65535 -s 0/0 --sport 1024:65535
/sbin/iptables -t mangle -A LOCALIN -j MARK -p udp -m mark --mark 0x0 --set-mark 0x103 -m state --state NEW,ESTABLISHED -i eth0 -s 10.10.255.0/24 --sport 1024:65535 -d 0/0 --dport 1024:65535
/sbin/iptables -t mangle -A LOCALIN -j MARK -p udp -m mark --mark 0x0 --set-mark 0x103 -m state --state ESTABLISHED $INT_IN-d $EXT_IP --dport 1024:65535 -s 0/0 --sport 1024:65535
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i eth0 -s 10.10.255.0/24 --sport 0:65535 -d 10.10.255.1/32 --dport 22
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i eth0 -s 10.10.255.0/24 --sport 0:65535 -d 0/0 --dport 22
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 ! --syn -m state --state ESTABLISHED $INT_IN-d $EXT_IP --dport 0:65535 -s 0/0 --sport 22
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i eth0 -s 10.10.255.0/24 --sport 1024:65535 -d 0/0 --dport 666
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 ! --syn -m state --state ESTABLISHED $INT_IN-d $EXT_IP --dport 1024:65535 -s 0/0 --sport 666
/sbin/iptables -t mangle -A LOCALIN -j MARK -p udp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i ppp+ -s 0/0 --sport 1024:65535 -d 0/0 --dport 53
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i ppp+ -s 0/0 --sport 1024:65535 -d 0/0 --dport 53
/sbin/iptables -t mangle -A LOCALIN -j MARK -p udp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i ppp+ -s 0/0 --sport 53 -d 0/0 --dport 53
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 -m state --state NEW,ESTABLISHED -i ppp+ -s 0/0 --sport 1024:65535 -d 0/0 --dport 666
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x102 -m state --state NEW,ESTABLISHED -i ppp+ -s 0/0 --sport 1024:65535 -d 0/0 --dport 21
/sbin/iptables -t mangle -A LOCALIN -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x103 ! --syn -m state --state ESTABLISHED -i ppp+ -s 0/0 --sport 1024:65535 -d 0/0 --dport 20
outgoing traffic is more complex as other rules in postrouting must be setup first ...
/sbin/iptables -t mangle -A POSTROUTING -j MARK --set-mark 0x100
/sbin/iptables -t mangle -A POSTROUTING -j SYSEGRESS
/sbin/iptables -t mangle -A POSTROUTING -j LOCALOUT -m mark --mark 0x100
/sbin/iptables -t mangle -A POSTROUTING -j CLASSIFY -m mark --mark 0x100 --set-class 1:10
/sbin/iptables -t mangle -A POSTROUTING -j CLASSIFY -m mark --mark 0x101 --set-class 1:20
/sbin/iptables -t mangle -A POSTROUTING -j CLASSIFY -m mark --mark 0x102 --set-class 1:30
/sbin/iptables -t mangle -A POSTROUTING -j CLASSIFY -m mark --mark 0x103 --set-class 1:40
---------------
/sbin/iptables -t mangle -F LOCALOUT
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x103 ! --syn -m state --state ESTABLISHED -o eth0 -d 10.10.255.0/24 --dport 1024:65535 -s 0/0 --sport 1024:65535
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x103 ! --syn -m state --state ESTABLISHED $INT_OUT-s $EXT_IP --sport 1024:65535 -d 0/0 --dport 1024:65535
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p udp -m mark --mark 0x100 --set-mark 0x103 -m state --state ESTABLISHED -o eth0 -d 10.10.255.0/24 --dport 1024:65535 -s 0/0 --sport 1024:65535
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p udp -m mark --mark 0x0 --set-mark 0x103 -m state --state ESTABLISHED $INT_OUT-s $EXT_IP --sport 1024:65535 -d 0/0 --dport 1024:65535
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x101 ! --syn -m state --state ESTABLISHED -o eth0 -d 10.10.255.0/24 --dport 0:65535 -s 10.10.255.1/32 --sport 22
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x101 ! --syn -m state --state ESTABLISHED -o eth0 -d 10.10.255.0/24 --dport 0:65535 -s 0/0 --sport 22
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 ! --syn -m state --state ESTABLISHED $INT_OUT-s $EXT_IP --sport 0:65535 -d 0/0 --dport 22
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x101 ! --syn -m state --state ESTABLISHED -o eth0 -d 10.10.255.0/24 --dport 1024:65535 -s 0/0 --sport 666
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x0 --set-mark 0x101 ! --syn -m state --state ESTABLISHED $INT_OUT-s $EXT_IP --sport 1024:65535 -d 0/0 --dport 666
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p udp -m mark --mark 0x100 --set-mark 0x101 -m state --state ESTABLISHED -o ppp+ -d 0/0 --dport 1024:65535 -s 0/0 --sport 53
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x101 ! --syn -m state --state ESTABLISHED -o ppp+ -d 0/0 --dport 1024:65535 -s 0/0 --sport 53
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p udp -m mark --mark 0x100 --set-mark 0x101 -m state --state ESTABLISHED -o ppp+ -d 0/0 --dport 53 -s 0/0 --sport 53
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x101 ! --syn -m state --state ESTABLISHED -o ppp+ -d 0/0 --dport 1024:65535 -s 0/0 --sport 666
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x102 ! --syn -m state --state ESTABLISHED -o ppp+ -d 0/0 --dport 1024:65535 -s 0/0 --sport 21
/sbin/iptables -t mangle -A LOCALOUT -j MARK -p tcp -m mark --mark 0x100 --set-mark 0x103 -m state --state RELATED,ESTABLISHED -o ppp+ -d 0/0 --dport 1024:65535 -s 0/0 --sport 20