You use this scripts and patches at your own risk.


„i.NET - QoS and security for Linux” is a open source project that provide easily configurable firewall and traffic management. It based on Linux operating system with specially prepared kernel, iproute2, iptables and bash scripts to configure specific rules.


Key features:

  • router protection against:
    • access from the Internet,
    • some kinds of network attacks and viruses,
  • Internet connection sharing:
    • NAT,
    • public ip addresses,
    • proxy_arp (for DSL like connections),
  • port forwarding,
  • transparent proxy redirection (for HTTP protocol),
  • per-user Internet traffic accounting,
  • P2P traffic blocking,
  • MAC protection,
  • advanced queuing based on IMQ interfaces and HFSC algorithm - QoS:
    • separete priority traffic queue (e.g.: VoIP, games),
    • separete P2P queue,
    • per-user queue with ability to limit and guarantee bandwidth.
  • and more …


i.NET scripts are distributed under BSD licence.

System preparations

This is NOT a strict description of the installation process and if you want to use it you should have at least a minimal knowledge about compilation and installation of the Linux kernel and packages.

System from binaries

This is the fastes way to get working Linux system compatible with i.NET scripts, but you won`t be able to add any extra drivers or modules to the kernel. This method works ONLY with Linux Debian because of the packages format.

1. Download the latest version of binaries (check this at the Download section):


2. Unpack the package:

tar zxvf system-binary-x.x.xx-y.tar.gz

3 Install kernel:

dpkg -i linux-image-x.x.xx-router-1.0_i386.deb

4. Configure GRUB (optional)

5. Reboot system and choose the new kernel:


6. Check version of loaded kernel:

uname -a

You should get something like this:

Linux dom x.x.xx-router #9 SMP Sun Jul 20 21:52:21 CEST 2008 i686 GNU/Linux

7. Install iptables i iproute2:

dpkg -i iptables_x.x.xx-y_i386.tgz
dpkg -i iproute_x.x.xx-y_i386.tgz

8. Reboot system and choose the new kernel:


9. Now you should install and configure scripts (see Scripts installation for further informations).

System from sources

This is much harder way to get working system, but you will be able to add to the kernel anything you need.

1. Download and unpack the latest version of sources (check for that at the Download section):

cd /usr/src
tar zxvf system-source-x.x.xx-y.tar.gz

2. Download and unpack suitable version of the Linux kernel (kernel version must match the system-source version):

cd /usr/src
tar jxf linux-x.x.xx.tar.bz2

Change the symlink /usr/src/linux to /usr/src/x.x.xx

3. Patch the kernel using downloaded patches from system-source-x.x.xx.tar.gz:

cd /usr/src
cp /usr/src/system-source-x.x.xx/kernel/kernel-x.x.xx.diff /usr/src/linux
cp /usr/src/system-source-x.x.xx/kernel/.config /usr/src/linux
cd /usr/src/linux
patch -p1 < kernel-x.x.xx.diff

Kernel sources are patched. Here you can add your own patches and additional patches included in the system-source package (e.g. zph patch).

4. Configure and compile the kernel:

cd /usr/src
make menuconfig

Now check what you need (e.g. additional drivers), save settings and start the compilation process:


5. Build and install kernel package:

make-kpkg --revision 1.0 --append-to-version -router -initrd --initrd kernel_image
dpkg -i linux-image-x.x.xx-router-1.0_i386.deb

If you want to remove the previous kernel packeges use the following command:

dpkg -P linux-image-x.x.xx-router

6. iptables – compile sources, build package and install:

cd /usr/src/system-source-x.x.xx/iptables/iptables-x.x.xx
make clean
dh_make -s -f ../iptables-x.x.xx.tar.bz2
dpkg-buildpackage -rfakeroot
dpkg -i ../iptables_x.x.xx_i386.deb

7. iproute2 – compile sources, build package and install:

cd /usr/src/system-source-x.x.xx/iproute2/iproute2-x.x.xx
make clean
dh_make -s -p "iproute" -f ../iproute2-x.x.xx.tar.bz2
dpkg-buildpackage -rfakeroot
dpkg -i ../iproute_x.x.xx_i386.deb

8. Reboot system and choose new kernel:


9. Check version of loaded kernel:

uname -a

You should get something like this:

Linux dom x.x.xx-router #9 SMP Sun Jul 20 21:52:21 CEST 2008 i686 GNU/Linux

9. Now you should install and configure scripts (see Scripts installation for further informations).

Scripts installation

Durig this part you should be very careful because you can lost connection with router (e.g. if you are using SSH connection).

After running scripts the 60022 TCP port is opened for accessing SSH server from anywhere except from the hosts specified in the HATEHOSTS directive. Please move your SSH server to this port.

This description has been prepared for Debian distribution.


After preaparing your system you are able to install and configure your scripts.

1. Download the latest stable version from the “Download” section and unpack them to the /etc/inet directory:

tar zxvf +yyyyyyyy.tar.gz
cd +yyyyyyyy
cp rc.firewall /etc/inet
cp rc.hfsc /etc/inet
cp rc.inet1 /etc/inet
cp rc.fire_account /etc/inet
cp rc.fire_conf /etc/inet
cp rc.fire_count /etc/inet
cp rc.fire_fast /etc/inet
cp rc.fire_ip /etc/inet
cp rc.fire_ipsec /etc/inet
cp rc.fire_local /etc/inet
cp rc.fire_mac /etc/inet
cp rc.fire_nat /etc/inet
cp rc.fire_proxy /etc/inet
cp rc.fire_port /etc/inet
cp rc.fire_qos /etc/inet
cp rc.fire_service /et c/inet
cp rc.status /etc/inet

2. Set up files attributes:

cd /etc/rc.d
chmod 700 rc.firewall
chmod 700 rc.hfsc
chmod 700 rc.inet1
chmod 600 rc.fire_account
chmod 600 rc.fire_conf
chmod 600 rc.fire_count
chmod 600 rc.fire_fast
chmod 600 rc.fire_ip
chmod 600 rc.fire_ipsec
chmod 600 rc.fire_local
chmod 600 rc.fire_mac
chmod 600 rc.fire_nat
chmod 600 rc.fire_proxy
chmod 600 rc.fire_port
chmod 600 rc.fire_qos
chmod 600 rc.fire_service
chmod 700 rc.status

3. Download protocol definitions from Application Layer Packet Classifier for Linux and unpack them to the /etc/l7-protocols directory.

This part replace the standard Debian interfaces configuration. You can skip this step and use only rc.firewall and rc.hfsc scripts instead.

4. Modify /etc/init.d/networking to run scripts every time the system is starting:

#! /bin/sh
# Startup script for network configuration
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
/etc/inet/rc.inet1 start
/etc/inet/rc.firewall start
/etc/inet/rc.hfsc start
/etc/inet/rc.inet1 stop
/etc/inet/rc.firewall stop
/etc/inet/rc.hfsc stop
/etc/inet/rc.inet1 start
/etc/inet/rc.firewall start
/etc/inet/rc.hfsc start
echo “Usage: /etc/init.d/networking {start|stop|restart}exit 1
exit 0



rc.fire_conf is used to setup main options.

# ----------------- "rc.fire_conf" ------------------
#    All rights reserved for B@roo 2000-2009
# ---------------------------------------------------
# Security
 BOGON_FILTERING="yes"                                                  # yes, (nothing)
 HATEHOSTS=""                                                           #
 HATEPORTS="yes"                                                        # yes, (nothing)
 MAC_PROTECT=""                                                         # yes, internet, (nothing)
 SPAM_RELAY=""                                                          #;;9199, (nothing)
 TTL_CHANGE=""                                                          #;255
 LOGS=""                                                                #
# Local interfaces
 DHCP_ALLOW="eth1"                                                      # eth1
 BASIC_FORWARD=""                                                       #;
# Internet sharing
 NAT_ENABLE="yes"                                                       # yes, (nothing), MASQUERADE
 INTERNET_ETH="eth0"                                                    # ppp0
 INTERNET_IP=""                                             #
 NAT_COUNTER_ACCOUNT="all;"                                  # all:
 PROXY_IP=""                                                            #;8080, REDIRECT;3128
 REDIRECT=""                                                            #;;;53;udp
# QoS
 DOWNLOAD="980"                                                         # 1024 (kbit)
 UPLOAD="245"                                                           # 256 (kbit)
 QOS_CRIT_FAST_BAND="80;50;soft"                                        # down_rate;up_rate;hard/soft (kbit)
 QOS_CRIT_DATA_BAND="50;20;soft"                                        # down_rate;up_rate;hard/soft (kbit)
 QOS_PRIO_BAND="40;15"                                                  # down_rate;up_rate (kbit)
 QOS_ROUTER_BAND="20;auto;20;auto"                                      # down_rate;down_ceil;up_rate;up_ceil (kbit)
 QOS_ALLOW_METHOD="sfq"                                                 # sfq, esfq
# P2P
 P2P_DENY=""                                                            # (drop p2p traffic)
 P2P_BAND="800;170"                                                     # down_rate:up_rate (limit p2p traffic)
 P2P_PROTOCOLS_DENY="applejuice ares directconnect edonkey fasttrack gnutella imesh openft mute"

# Security
BOGON_FILTERING=”” - enables BOGON traffic filtering on WAN interface
HATEHOSTS=”” - configure list of banned hosts/networks (inside and outside network) separated by spaces.

HATEPORTS=„yes” - block all internet traffic on the following TCP and UDP ports: 135,137,139, 445 (useful for limit some viruses and harmless for typical internet traffic).

MAC_PROTECT=”” - enable per-MAC protection for all traffic (yes) or only for Internet traffic (internet). For more setting see rc.fire_mac.

SPAM_RELAY=”” - redirect all SMTP traffic for the specific network to some anti-spam software (;;9199 will for exmaple redirect all traffic from network to port 9199 on localhost)

TTL_CHANGE=”” - change the default TTL for the packets send to specific network (e.g.;255).

LOGS=”” - configure list of host/networks (separated by spaces) for which internet traffic will be logged (for more details see LOG target in iptables manual)

# Local interfaces
DHCP_ALLOW=„eth2” - configure access to the DHCP server on specified interfaces.

BASIC_FORWARD=„;” - configure forwarding between subnets (also over virtual interfaces).

# Internet sharing
NAT_ENABLE=„yes” - enable NAT (yes) on the router or the MASQUERADE (MASQUERADE) for the connection with dynamic IP address (remeber to restart scripts every time you obtain a new ip address).

INTERNET_ETH=„eth0” - configure the Internet (WAN) interface.

INTERNET_IP=„” - configure the Internet (WAN) IP address.

NAT_COUNTER_ACCOUNT=„all;” - configure ipt_account module for collecting Internet traffic for specify network (see rc.fire_count for more options).

PROXY_IP=”” - configure proxy server IP address and port for transparent proxy forwarding with proxy on router (REDIRECT;3128) or on e external machine (;8080). See rc.fire_proxy for more options.

REDIRECT=”” - configure simple redirections for hosts or networks (for example to forward DNS requestsset this to;;;53;udp).

Before configuring this section please see QoS notes at the end of the page.

# QoS
DOWNLOAD=„1000″ - download bitrate in kbits/s.

UPLOAD=„250″ - upload bitrate in kbits/s.

QOS_CRIT_FAST_BAND=„80;50;soft” - configure the guaranteed bandwidth for CRIT_FAST queue (used for VoIP and for traffic that needs low delays). „hard” setting means that this bandwidth isn`t share with other queues. Format: down_rate;up_rate;hard/soft (kbit).

QOS_CRIT_DATA_BAND=„50;20;soft” - configure the guaranteed bandwidth for CRIT_DATA queue (used for VPN and other heavy traffic). „hard” setting means that this bandwidth isn`t share with other queues. Format: down_rate;up_rate;hard/soft (kbit).

QOS_PRIO_BAND=„40;15” - configure the guaranteed bandwidth for PRIO queue (this is a queue for ICMP, DNS and ACK packets). Format: down_rate;up_rate (kbit).

QOS_ROUTER_BAND=„20;auto;20;auto” - configure the queue bandwidth for ROUTER queue (important for routers with some services in the internet). Format: down_rate;down_ceil;up_rate;up_ceil (kbit).

QOS_ALLOW_METHOD=„sfq” - enable SFQ (for per-host queues) or ESFQ (for per-network queues) mechanism for user queues.

# P2P
P2P_DENY=”” - enable P2P blocking for specified networks or hosts (separated by spaces).

P2P_BAND=„700;150” - enable P2P queuing and configure the maximum donwload and upload bitrate for P2P traffic. Format: down_rate;up_rate (enable p2p limiting).

P2P_PROTOCOLS_DENY=„applejuice ares directconnect edonkey fasttrack gnutella imesh openft mute” - configure protocols (according to the layer7 doc) that are matched as P2P traffic for blocking (importany for P2P_DENY directive).

P2P_PROTOCOLS_BAND=„bittorrent” - configure protocols (according to the layer7 doc) that are matched as P2P traffic for queuing (importany for P2P_BAND directive).


File for specifying per user (per netowrk) internet access limitations. Here you can define what kind of traffic will be allowed for some hosts or subnets. Remember, firts you have to allow all internet traffic using rc.fire_nat and rc_fire_qos.

# ----------------------------------------
#               rc.fire_access
# ----------------------------------------
# (pattern;protocol;dest_ip;dport;time;action (port eg.: 22-25,80))
# Allow only ICMP protocol from 11:00 to 18:00 in Mon, Tue, Wed, Thu and Fri for host with ip address
# Block outgoing SMTP traffic


File for specifying accounted ip addresses – see ipt_acoount module manual. Firts NAT_COUNTER_ACCOUNT variable in rc.fire_conf must be configured properly. Statistics can be accessed via rc.status.

# ----------------------------------------
#               rc.fire_count
# ----------------------------------------
# (ip_address from ipt_account)


File for specifying traffic that will be marked as crititical (FAST) or critical (DATA). The parameters for this queues can be configured in rc.fire_conf using QOS_CRIT_FAST_BAND and QOS_CRIT_DATA_BAND variables. Don`t put there too high values, because your router won`t be able to quarantee this bandwidth (typically use no more than 30% of your total bandwidth for this queues). Also don`t classify here heavy traffic like HTTP, FTP or SMTP (those queues are not intended for such a traffic). FAST queue should be used for traffic like ssh, skypetoskype, sip or rtp whereas DATA queue intended for VPN connectivity like OpenVPN or so. Source in this definition sattes for ip address in your local network and the destination states for ip address in the Internet.

# ----------------------------------------
#               rc.fire_fast
# ----------------------------------------
# (pattern;protocol;source_ip;sport;dest_ip;dport:class (port eg.: 22-25,80))


File for specifying any additional ip addresses from your public class that you are using inside your network. This rules allow traffic between specified ip address in local network and the Internet. This should be used when you have your public class is routed inside your network or you are using proxy_arp functionality.

# —————————————-
# rc.fire_ip
# —————————————-
# (external_ip;max_conn)


In this file you can allow traffic like protocols 50, 51 and UDP on ports 500, 4500 between tunnel_endpoint and local_ip. This is for IPSEC compatibility (so called IPSEC-passthrough).

# —————————————-
# rc.fire_ipsec
# —————————————-
# (tunnel_endpoint;local_ip)


File for specifying LAN access. It can be used to allow access to a service running on the router form the local network. By default, if not specified ICMP traffic and SSH protocol on port 60022 are allowed.

# —————————————-
# rc.fire_local
# —————————————-
# (interface;ip_address;protocol;port)


File for specifying allowed MAC addresses on listed interfaces. MAC_PROTECT variable in rc.fire_conf have to be defined in order to use this feature.

# —————————————-
# rc.fire_mac
# —————————————-
# (ip-adres_mac)


File for specifying addresses that will have an internet access (using NAT with INTERNET_IP as an outgoing ip address). The second parameter is the number of maximum concurrent connections (this should be used to limit some „bad” users).

# —————————————-
# rc.fire_nat
# —————————————-
# (adres_ip;max_conn)


File for specifying port forwarding. The example is for Bittorent protocol and allow packets from the Internet for INTERNET_IP with destination port 6881 to be forwarded to port 6881 to host with ip address The last parameter limit access from the outside to only one ip address (this is only for security purpose).

# —————————————-
# rc.fire_port
# —————————————-
# (protocol;external_port;local_ip;port;internel_port;allow_ip)


File for specifying ip addresses in local network from which all HTTP traffic will be forwarded to proxy. PROXY_IP variable in rc.fire_conf must be configured in order to use this feature.

# —————————————-
# rc.fire_proxy
# —————————————-
# (ip_address;gateway_ip)


File for specifying per user (per network) queues and associated bandwidth. Ceil means the maximum queue bandwidth whereas rate means guaranteed bandwidth. Don`t put too high rate values, because your router won`t be able to quarantee this bandwidth. In most cases use „auto” option unless you don`t know what you are doing.

# —————————————-
# rc.fire_qos
# —————————————-
# (ip;down_rate;down_ceil;up_rate;up_ceil)


File for specifying an access to a services running on the router from the internet. The following example allow SNMP traffic to router from ip address. Last parameter can be set to all if you don`t want this extra security.

# —————————————-
# rc.fire_services
# —————————————-
# (protocol;external_port;allow_ip)


Script that configure interfaces, subinterfaces and proxy_arp functionality.

# ————- INET1 1.0.0 “rc.inet1″ —————
# All rights reserved for B@roo 2000-2009
# —————————————————–
#set -x
# ——————— Configuration —————–
# Interfaces
# This parameters configure the WAN side. First IP address is assigned for eth0 interface. There is also enabled proxy_arp.
# This parameters configure the LAN side. First IP address is assigned for eth1 interface. There is also enabled proxy_arp.
# Proxy arp forwarding
# Configure the local interface that handle all proxy_arp users.
# First WAN IP address with netmask.
# WAN network address with netmask.
# Other IP addresses from our range that can be used in local network as an external addresses with gateway setup as the externel IP address of the router (in this exmaple Don`t forget to put all these addresses in rc.fire_ip and rc.fire_qos.
# Default gateway:
#Configure the default gateway for this network (e.g. DSL modem IP address).

After configuring proxy_arp in rc.inet1 you must allow this trafiic in rc.fire_ip and set additional queues in rc.fire_qos. For clients inside network use the ip addresses defined in PROXY_ARP_ADDRESS variable and default gateway set to the same value as INTERNET_IP in rc.fire_conf.

QoS notes – improving your connection and minimizing delays at high loads

Unfortunately in most cases (internet connections like DSL) it is difficult to provide low delays and the maximum usege of bandwidth at once due to the fact that we are not able to control the stream of data sending to us by servers in the internet. Therefore this is a good practice to setup the maximum value of upload and download speed to 95-98% of real bandwidth. For example if we have a DSL connection that real speed is 1024/256 we should put in the configutration files values like 1000/245. This depends of the enviroment and kind of traffic and should be find by some simple experiments in real network (e.g. by checking ping from one of the computers to the most reliable server in the internet while downloading large file).
Very importatnt here is to know how many bandwidth we have. In most cases when we obtain our connection from some realy big providers everything is ok, but if we have an internet access from some small providers they are usually unable to provide this bandwidth all the time. Then there is no guarantee that queuing will working properly (tc simply will be unable to calculate real bandwidth).

Usefull commands

./rc.firewall temp – start a process in background that after 60 seconds flush all rules, set the default policy to DROP and allow for SSH access on 60022 port
./rc.firewall start – start a firewall – set iptables rules (use also to restart rules)
./rc.firewall stop – stop firewall (flush iptables rules and change deafault policy to ACCEPT)
./rc.hfsc start – start hfsc queuing – set tc rules (use also to restart rules)
./rc.hfsc stop – stop hfsc queuing
./rc.status qos-state - show the status of queues
./rc.status qos-status – show the configuration of queues
./rc.status counter-show – show internet traffic counters (per-address specified in rc.fire_count)
./rc.status counter-save – save internet traffic counters (useful for firewall restart)
./rc.status counter-load – load internet traffic counters (useful for firewall restart)


System – sources

Package content:
patch-kernel-xxx.diff – patch for kernel xxx
.config – configuration for kernel compilation
iptables-xxx.tar.bz2 – iptables sources
patch-iptables-xxx.diff – patch for iptables
iproute2-xxx.tar.gz – iproute2 sources
patch-iproute2-xxx.diff – patch for iproute2

system-source- (md5sum:e70fc2af84814bc5ca642c1c9ed963f1)
system-source- (md5sum:243033ad89b948d77ff9fc0624fcf8b9)
system-source- (md5sum:0a0189aa2ce2b64bffe1f9c581696ccd)
system-source- (md5sum:5fc6425e6b837b8f6511ddb182f942bc)
system-source- (md5sum:4faa3f6bbea4f2784bc0e9dd8f651b63)
system-source- (md5sum:17c6bf2c860bd942abdfdd9472942e7b)

System – binaries

Package content:
linux-xxx-router.deb – kernel binaries with appropriate patches (compiled and ready to install)
iproute2-xxx.deb – iproute2 binaries package
iptables-xxx.deb – iptables binaries package

system-binary- (md5sum:97e5b643c45eeb5069550b2831cac1be)
system-binary- (md5sum:545ba0775bd46091dd0e9f93eded2766)
system-binary- (md5sum:8e1facc3aed81e88ce14911ba4609b0f)
system-binary- (md5sum:ca8b323e6297dd7ffac7cf7201d5fbd6)
system-binary- (md5sum:07c1d6547e5a7ccb3d5d5237ef546ef0)
system-binary- (md5sum:2d4c6a77ff26497b76920716bcbc2f5c)

Configuration scripts

Package content:
rc.fire_access – access configuration file
rc.fire_conf – main configuration file
rc.fire_count – counters configuration
rc.fire_fast – prio queues configuration
rc.fire_mac – MAC restriction configuration
rc.fire_nat – NAT configuration
rc.fire_port – port forwarding configuration)
rc.fire_proxy – transparent proxy forwarding configuration)
rc.fire_qos – per-user queues configuration
rc.firewall – iptables script
rc.hfsc – hfsc script
rc.inet1 – interfaces configuration script

+20100518.tar.gz (md5sum: 410c43e62b15432eb7b617d035472f37) - experimental
+20100126.tar.gz (md5sum: 9172cf102b4e0eb5e1e397d06f6b7eb0) - latest stable
+20091229.tar.gz (md5sum: 0bc3ae97d73008d4021e9c8c900b057f)
+20090623.tar.gz (md5sum: f0eafb905e3b2b1cfc6a8cd676c1719e)
+20090215.tar.gz (md5sum:aa123e754c0dc605b484d152d355638b)
+20080806.tar.gz (md5sum: 45473b7722a1fb5374e5b283d3601fcb)
+20040126.tar.gz (md5sum: ff9923ca3eae6b071842926ee0b11450)


Project maintainer: Bartek Kois admin(at)telefonserwis(dot)pl

Project forum:

For commercial support please visit our homepage or contact me directly.

Osobiste narzędzia