# IPTables Regeln (ingress)
for CHAIN in FORWARD INPUT; do
  /sbin/iptables -A $CHAIN -i $DEV -p tcp \
    -m connbytes --connbytes-dir both \
    --connbytes-mode bytes \
    --connbytes 10485760: \
    -m multiport --port www,https,ftp-data\
    -m mark      --mark=20 \
    -m length    --length 500: \
    -j DROP
done