i making iptables rules (in this below) for authenticate before using internet in my network.
# Generated by iptables-save v1.3.7 on Thu Sep 27 21:36:16 2007
*filter
:INPUT ACCEPT [15550931:4993465659]
:FORWARD DROP [70:3319]
:OUTPUT ACCEPT [2550730:366050128]
:d-band - [0:0]
:u-band - [0:0]
-A INPUT -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j LOG --log-prefix " BitTorrent protocol-INPUT "
-A INPUT -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
-A INPUT -m string --string "peer_id" --algo kmp --to 65535 -j LOG --log-prefix " peer_id-INPUT "
-A INPUT -m string --string "peer_id" --algo kmp --to 65535 -j DROP
-A FORWARD -m layer7 --l7proto bittorrent -j LOG --log-prefix " Layer7-FORWARD "
-A FORWARD -p udp -m layer7 --l7proto bittorrent -j DROP
-A FORWARD -p tcp -m layer7 --l7proto bittorrent -j DROP
-A FORWARD -m layer7 --l7proto bittorrent -j DROP
-A FORWARD -m ipp2p --bit -j LOG --log-prefix " ipp2p-FORWARD "
-A FORWARD -p udp -m ipp2p --bit -j DROP
-A FORWARD -p tcp -m ipp2p --bit -j DROP
-A FORWARD -m ipp2p --bit -j DROP
-A FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j LOG --log-prefix " peer_id-FORWARD "
-A FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j LOG --log-prefix " BitTorrent-FORWARD "
-A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j LOG --log-prefix " BitTorrent_Protocol-FORWARD "
-A FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
-A FORWARD -s 192.168.11.44 -j u-band
-A FORWARD -s 192.168.11.44 -i eth+ -m mac --mac-source 00:13:8F:AB:B6:E3 -j ACCEPT
-A FORWARD -d 192.168.11.44 -j d-band
-A FORWARD -s 192.168.11.41 -j u-band
-A FORWARD -s 192.168.11.41 -i eth+ -m mac --mac-source 00:16:33:45:31:97 -j ACCEPT
-A FORWARD -d 192.168.11.41 -j d-band
-A FORWARD -i eth1 -p tcp -m tcp ! --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 192.168.11.41 -j d-band
-A OUTPUT -d 192.168.11.44 -j d-band
-A d-band -j ACCEPT
-A u-band -j ACCEPT
COMMIT
# Completed on Thu Sep 27 21:36:16 2007
# Generated by iptables-save v1.3.7 on Thu Sep 27 21:36:16 2007
*mangle
:PREROUTING ACCEPT [14057263:1954363993]
:INPUT ACCEPT [15551431:4993650899]
:FORWARD ACCEPT [3361193:946148295]
:OUTPUT ACCEPT [14576749:5952904392]
:POSTROUTING ACCEPT [17892009:6896580346]
:maccheck - [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp ! --dport 53 -j maccheck
-A PREROUTING -i eth+ -p udp -m mark ! --mark 0x1 -m udp -j ACCEPT
-A PREROUTING -i eth+ -p tcp -m mark ! --mark 0x1 -m tcp -j ACCEPT
-A PREROUTING -s 192.168.11.44 -i eth+ -m mac --mac-source 00:13:8F:AB:B6:E3 -j MARK --set-mark 0x37
-A PREROUTING -s 192.168.11.41 -i eth+ -m mac --mac-source 00:16:33:45:31:97 -j MARK --set-mark 0x34
-A maccheck -j MARK --set-mark 0x1
COMMIT
# Completed on Thu Sep 27 21:36:16 2007
# Generated by iptables-save v1.3.7 on Thu Sep 27 21:36:16 2007
*nat
:PREROUTING ACCEPT [101989:6529473]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [99685:6344770]
-A PREROUTING -i eth1 -p tcp -m mark --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 80
-A PREROUTING -i eth+ -p tcp -m mark --mark 0x1 -m tcp --dport 3128 -j DROP
-A PREROUTING -i eth1 -p tcp -m mark ! --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Thu Sep 27 21:36:16 2007


it's working fine but!! very slow for surf the internet(i need to configure this format only) but i try to remove some iptables rules (in this below)
# Generated by iptables-save v1.3.7 on Thu Sep 27 21:36:16 2007
*filter
:INPUT ACCEPT [15550931:4993465659]
:FORWARD DROP [70:3319]
:OUTPUT ACCEPT [2550730:366050128]
:d-band - [0:0]
:u-band - [0:0]
-A INPUT -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j LOG --log-prefix " BitTorrent protocol-INPUT "
-A INPUT -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
-A INPUT -m string --string "peer_id" --algo kmp --to 65535 -j LOG --log-prefix " peer_id-INPUT "
-A INPUT -m string --string "peer_id" --algo kmp --to 65535 -j DROP
-A FORWARD -m layer7 --l7proto bittorrent -j LOG --log-prefix " Layer7-FORWARD "
-A FORWARD -p udp -m layer7 --l7proto bittorrent -j DROP
-A FORWARD -p tcp -m layer7 --l7proto bittorrent -j DROP
-A FORWARD -m layer7 --l7proto bittorrent -j DROP
-A FORWARD -m ipp2p --bit -j LOG --log-prefix " ipp2p-FORWARD "
-A FORWARD -p udp -m ipp2p --bit -j DROP
-A FORWARD -p tcp -m ipp2p --bit -j DROP
-A FORWARD -m ipp2p --bit -j DROP
-A FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j LOG --log-prefix " peer_id-FORWARD "
-A FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j LOG --log-prefix " BitTorrent-FORWARD "
-A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j LOG --log-prefix " BitTorrent_Protocol-FORWARD "
-A FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
-A FORWARD -s 192.168.11.44 -j u-band ---> remove
-A FORWARD -s 192.168.11.44 -i eth+ -m mac --mac-source 00:13:8F:AB:B6:E3 -j ACCEPT
-A FORWARD -d 192.168.11.44 -j d-band ---> remove
-A FORWARD -s 192.168.11.41 -j u-band ---> remove
-A FORWARD -s 192.168.11.41 -i eth+ -m mac --mac-source 00:16:33:45:31:97 -j ACCEPT
-A FORWARD -d 192.168.11.41 -j d-band --> remove
-A FORWARD -i eth1 -p tcp -m tcp ! --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 192.168.11.41 -j d-band --> remove
-A OUTPUT -d 192.168.11.44 -j d-band --> remove
-A d-band -j ACCEPT
-A u-band -j ACCEPT
COMMIT
# Completed on Thu Sep 27 21:36:16 2007
# Generated by iptables-save v1.3.7 on Thu Sep 27 21:36:16 2007
*mangle
:PREROUTING ACCEPT [14057263:1954363993]
:INPUT ACCEPT [15551431:4993650899]
:FORWARD ACCEPT [3361193:946148295]
:OUTPUT ACCEPT [14576749:5952904392]
:POSTROUTING ACCEPT [17892009:6896580346]
:maccheck - [0:0]
-A PREROUTING -i eth1 -p tcp -m tcp ! --dport 53 -j maccheck
-A PREROUTING -i eth+ -p udp -m mark ! --mark 0x1 -m udp -j ACCEPT
-A PREROUTING -i eth+ -p tcp -m mark ! --mark 0x1 -m tcp -j ACCEPT
-A PREROUTING -s 192.168.11.44 -i eth+ -m mac --mac-source 00:13:8F:AB:B6:E3 -j MARK --set-mark 0x37
-A PREROUTING -s 192.168.11.41 -i eth+ -m mac --mac-source 00:16:33:45:31:97 -j MARK --set-mark 0x34
-A maccheck -j MARK --set-mark 0x1
COMMIT
# Completed on Thu Sep 27 21:36:16 2007
# Generated by iptables-save v1.3.7 on Thu Sep 27 21:36:16 2007
*nat
:PREROUTING ACCEPT [101989:6529473]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [99685:6344770]
-A PREROUTING -i eth1 -p tcp -m mark --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 80
-A PREROUTING -i eth+ -p tcp -m mark --mark 0x1 -m tcp --dport 3128 -j DROP
-A PREROUTING -i eth1 -p tcp -m mark ! --mark 0x1 -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Thu Sep 27 21:36:16 2007

but this script it's absolute working for suft internet and hi-speed more than first script


How to resolve it's for first script . i need to script include d-band and u-band (iptables -N)