Guys, Maybe one of you can enlighten me on the following problem.. : I've got a Firewall, which is NAT-ing 10.10.0.0/16 to the outer world. eth0=62.108.12.226 eth1=10.10.100.1 Of 1 ip, 10.10.100.212, I would like to limit the bandwith to 80 Kbit on the firewall. This with iproute (tc) and iptables. This can probably been done in different ways.. with fwmark and by sourceaddress. I've tried them all.. without success sofar. It seems to neglect the rules .. :(( The last thing I tried is: iptables -A FORWARD -t mangle -s 10.10.100.212 -d ! 10.10.0.0/16 -j MARK --set-mark 1 iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE tc qdisc add dev eth1 root handle 10: cbq bandwidth 100Mbit avpkt 1000 tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 100Mbit rate 80Kbit allot 1514 weight 8Kbit prio 5 maxburst 20 avpkt 1000 bounded tc filter add dev eth1 parent 10:0 protocol ip prio 50 handle 1 fw flowid 10:1 I think it goes wrong somewhere in the NAT-ing process. tc probably doesn't understand it the way I configured it. ( In the last option, I already tried to switch eth1 to eth0, but that doesn't work, and shouldn't work I think). If I use tc on 10.10.100.212 itself works fine by the way, so I solved it like that for now. To limit on 80 Kbit I use: tc qdisc add dev eth0 root handle 10: cbq bandwidth 100Mbit avpkt 1200 tc class add dev eth0 parent 10:0 classid 10:1 cbq bandwidth 100Mbit rate 80Kbit allot 1514 weight 8Kbit prio 5 maxburst 20 avpkt 1000 bounded tc filter add dev eth0 parent 10:0 protocol ip prio 50 u32 match ip src 10.10.100.212 flowid 10:1 Anyone knows how I can configure this on the firewall ? I would prefer a solution based on source address instead of fwmark, but if that isn't possible, using fwmark is no problem for me. Thanks in advance ! adios, Marc
