Good day all! I've been somewhat successful with shaping traffic coming in to my LAN's clients, but am having a bit of difficulty shaping those same clients outbound traffic. I'm using a Linux 2.4.20 multi-homed (eth0 and eth1) firewall with IPTables. Looking at the example given at http://lartc.org/howto/lartc.qdisc.filters.html#LARTC.FILTERING.SIMPLE, specifically: --- On fwmark You can mark packets with either ipchains or iptables and have that mark survive routing across interfaces. This is really useful to for example only shape traffic on eth1 that came in on eth0. Syntax: # tc filter add dev eth1 protocol ip parent 1:0 prio 1 handle 6 fw flowid 1:1 Note that this is not a u32 match! You can place a mark like this: # iptables -A PREROUTING -t mangle -i eth0 -j MARK --set-mark 6 The number 6 is arbitrary. If you don't want to understand the full tc filter syntax, just use iptables, and only learn to select on fwmark. --- I've used this to place a restriction on my workstation for testing and then tried uploading a file via ftp. My upload (60KB/s) is exceeding the restriction (1kbps, ceil 3kbps) I've placed. Are my marks not surviving the traverse across the firewall, or am I doing something wrong? Probably the latter. Attached is my script. If it's horrible please forgive my newbie-ness, if it's great forget that previous statement!! ;P Mike Fetherston # eth0 - outside NIC # eth1 - inside NIC tc qdisc del dev eth0 root handle 1: tc qdisc del dev eth1 root handle 1: #### START INBOUND TRAFFIC SECTION #### tc qdisc add dev eth1 root handle 1: htb default 12 tc class add dev eth1 parent 1: classid 1:1 htb rate 1600kbps ceil 5000kbps tc class add dev eth1 parent 1:1 classid 1:10 htb rate 1000kbps ceil 2000kbps tc class add dev eth1 parent 1:1 classid 1:11 htb rate 750kbps ceil 2000kbps tc class add dev eth1 parent 1:1 classid 1:12 htb rate 20kbps ceil 40kbps for IP in $STAFF; do tc filter add dev eth1 protocol ip parent 1:0 prio 1 u32 match ip dst $IP flowid 1:10 iptables -t mangle -A PREROUTING -i eth1 -s $IP --j MARK --set-mark 3 done for IP in $MKTG $HRSC $ADMIN $IT $ACCT; do tc filter add dev eth1 protocol ip parent 1:0 prio 2 u32 match ip dst $IP flowid 1:11 iptables -t mangle -A PREROUTING -i eth1 -s $IP --j MARK --set-mark 4 done #### END INBOUND TRAFFIC SECTION #### #### START OUTBOUND TRAFFIC SECTION #### iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.10 --sport 80 --j MARK --set-mark 1 iptables -t mangle -A PREROUTING -p tcp -s ! 192.168.0.10 --sport ! 80 --j MARK --set-mark 2 tc qdisc add dev eth0 root handle 1: htb default 11 tc class add dev eth0 parent 1: classid 1:1 htb rate 500kbps tc class add dev eth0 parent 1:1 classid 1:10 htb rate 400kbps ceil 500kbps tc class add dev eth0 parent 1:1 classid 1:11 htb rate 100kbps ceil 250kbps tc class add dev eth0 parent 1:1 classid 1:13 htb rate 1kbps ceil 3kbps tc class add dev eth0 parent 1:1 classid 1:14 htb rate 100kbps ceil 400kbps # Section below takes fw marks from loops above and filters are applied here. tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 1 fw flowid 1:10 tc filter add dev eth0 parent 1:0 protocol ip prio 1 handle 2 fw flowid 1:11 tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 3 fw flowid 1:13 tc filter add dev eth0 parent 1:0 protocol ip prio 2 handle 4 fw flowid 1:14 #### END OUTBOUND TRAFFIC SECTION #### #end of file
