bauer1j/gist:1320355

## gistfile1.sh
#!/bin/bash

iptables -t filter -F
iptables -t mangle -F

# Make sure that ecn is turned on for outgoing connections
sysctl -w net.ipv4.tcp_ecn=1

# Modify tcp syn retries as we mangle SYNs 3 and 4 to be non-ECN
sysctl -w net.ipv4.tcp_syn_retries=6

# Increase the capacity of the connection tracking system (note this has to be sized for the memory of the machine)
sysctl -w net.nf_conntrack_max=16777216
echo 1048576 > /sys/module/nf_conntrack/parameters/hashsize

# Set a low mss to maximize the number of packets we receive from the server
iptables -t mangle -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 300

# Check to see if the connection is ECN enabled
iptables -t filter -A OUTPUT -p tcp --syn -m ecn --ecn-tcp-cwr --ecn-tcp-ece --ecn-ip-ect 0 -j CONNMARK --set-mark 1
iptables -t filter -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m connmark --mark 1 -m ecn ! --ecn-tcp-cwr --ecn-tcp-ece -j CONNMARK --set-mark 6

# If we don't get a SYN/ACK after 2 attempts (a possible SYN/ECN blackhole), lets remove the bits and see if we can connect
# orig   retry1:  ECN
# retry2 retry3: non-ECN
iptables -t mangle -A OUTPUT  -p tcp -m conntrack --ctstate NEW -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes-dir original --connbytes-mode packets --connbytes 3:4 -j ECN --ecn-tcp-remove

# We keep setting CE on all outbound TCP packets with data until we hear a ECE.  (The first rule marks all TCP packets with data.)
iptables -t filter -A OUTPUT -p tcp -m connmark --mark 4/4 -m u32 --u32 "6 & 0xFF = 6 && 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 0 & 0xFF = 0x0:0xFF" -j MARK  --set-mark 8
iptables -t filter -A INPUT  -p tcp ! --tcp-flags SYN SYN -m ecn --ecn-tcp-ece -m connmark --mark 4/4 -j CONNMARK --set-mark 0/4
iptables -t mangle -A POSTROUTING -p tcp -m mark --mark 8 -j TOS --set-tos 3

# We keep causing our TCP stack to set ECE on all outbound TCP packets until we hear a CWR by setting CE on all inbound data packets
iptables -t mangle -A INPUT  -p tcp ! --tcp-flags SYN SYN -m ecn --ecn-tcp-cwr -m connmark --mark 2/2 -j CONNMARK --set-mark 0/2
iptables -t mangle -A INPUT  -p tcp  -m connmark --mark 2/2 -m connbytes --connbytes 2: --connbytes-dir reply --connbytes-mode packets -j TOS --set-tos 3

echo
echo "******** Filter *************"
echo
sudo iptables -t filter -L -v
echo
echo "******** Mangle *************"
echo
sudo iptables -t mangle -L -v
	#!/bin/bash

	iptables -t filter -F
	iptables -t mangle -F

	# Make sure that ecn is turned on for outgoing connections
	sysctl -w net.ipv4.tcp_ecn=1

	# Modify tcp syn retries as we mangle SYNs 3 and 4 to be non-ECN
	sysctl -w net.ipv4.tcp_syn_retries=6

	# Increase the capacity of the connection tracking system (note this has to be sized for the memory of the machine)
	sysctl -w net.nf_conntrack_max=16777216
	echo 1048576 > /sys/module/nf_conntrack/parameters/hashsize

	# Set a low mss to maximize the number of packets we receive from the server
	iptables -t mangle -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 300

	# Check to see if the connection is ECN enabled
	iptables -t filter -A OUTPUT -p tcp --syn -m ecn --ecn-tcp-cwr --ecn-tcp-ece --ecn-ip-ect 0 -j CONNMARK --set-mark 1
	iptables -t filter -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m connmark --mark 1 -m ecn ! --ecn-tcp-cwr --ecn-tcp-ece -j CONNMARK --set-mark 6

	# If we don't get a SYN/ACK after 2 attempts (a possible SYN/ECN blackhole), lets remove the bits and see if we can connect
	# orig retry1: ECN
	# retry2 retry3: non-ECN
	iptables -t mangle -A OUTPUT -p tcp -m conntrack --ctstate NEW -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes-dir original --connbytes-mode packets --connbytes 3:4 -j ECN --ecn-tcp-remove

	# We keep setting CE on all outbound TCP packets with data until we hear a ECE. (The first rule marks all TCP packets with data.)
	iptables -t filter -A OUTPUT -p tcp -m connmark --mark 4/4 -m u32 --u32 "6 & 0xFF = 6 && 0 >> 22 & 0x3C @ 12 >> 26 & 0x3C @ 0 & 0xFF = 0x0:0xFF" -j MARK --set-mark 8
	iptables -t filter -A INPUT -p tcp ! --tcp-flags SYN SYN -m ecn --ecn-tcp-ece -m connmark --mark 4/4 -j CONNMARK --set-mark 0/4
	iptables -t mangle -A POSTROUTING -p tcp -m mark --mark 8 -j TOS --set-tos 3

	# We keep causing our TCP stack to set ECE on all outbound TCP packets until we hear a CWR by setting CE on all inbound data packets
	iptables -t mangle -A INPUT -p tcp ! --tcp-flags SYN SYN -m ecn --ecn-tcp-cwr -m connmark --mark 2/2 -j CONNMARK --set-mark 0/2
	iptables -t mangle -A INPUT -p tcp -m connmark --mark 2/2 -m connbytes --connbytes 2: --connbytes-dir reply --connbytes-mode packets -j TOS --set-tos 3

	echo
	echo "****** Filter ***********"
	echo
	sudo iptables -t filter -L -v
	echo
	echo "****** Mangle ***********"
	echo
	sudo iptables -t mangle -L -v