Ruslan, : Can you help me understand hot to make HTB work with NAT in my situation? You appear to have the right solution in mind. Mark the packets before the address has been altered, and add the filter command to put the packets into your 60Mbit class. : --------------- : | linux | eth0 ------- : | 193.220.70.33 |------|switch |--|cisco|<-->internet : | NAT | --------- : ----------------- | : | : ------------ eth0 | : client1 |------------- : 192.168.1.1 | : ------------- : : Client's(192.168.1.2) default route is to 193.220.70.33 : : On linux server(193.220.70.33) there is rule: : iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to : 193.220.70.33 : : As i understand i can control traffic bandwidth going to client1 and : from client1 on linux server due to one interface on linux server.(maybe : i'm wrong) I noticed your question earlier about using a machine with a single interface as a router. Is that what you are doing here? If so, then you'll want to add one other command, and here's why: - Your linux machine will only shape data it is transmitting. - You are shaping only data transmitted from client1 through the gateway (practically speaking this means you are capping the outbound flow from client1). : /usr/local/iproute2/sbin/tc qdisc add dev eth0 root handle 1: htb : /usr/local/iproute2/sbin/tc class add dev eth0 parent 1:1 classid 1:20 \ : htb rate 32kbit ceil 60Mbit : /usr/local/iproute2/sbin/tc qdisc add dev eth0 parent 1:20 handle 20: sfq : /usr/local/iproute2/sbin/tc filter add dev eth0 parent 1:0 protocol ip \ : handle 1 fw flowid 1:20 Your tc commands look correct. You have an implicit class which will transmit as fast as the hardware allows--that is HTB's default. : /sbin/iptables -t mangle -A POSTROUTING -s 192.168.1.2 -j MARK --set-mark 1 Now, simply add this: /sbin/iptables -t mangle -A POSTROUTING -d 192.168.1.2 -j MARK --set-mark 1 Now, you'll be shaping both upload (from source client1) and download (to destination client1). : Will be packet with src 192.168.1.2 put into classid 1:20, or for that : moment it will be already nated and his source will be 193.220.70.33? The mark will survive while the packet is being handled by the kernel, so even after NAT, the mark will be available. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx