A Linux gateway has two interfaces: eth0, with a routable address on an ISP's network, and eth1, which is 10.0.0.1 on a private network. There are several hosts connected to eth1, and these are allowed to send packets out of eth0 only after they login via a form at http://10.0.0.1. Once a host logs out, the gateway should no longer route packets for it. Each host also has a specific bandwidth allocation. I configured the gateway as follows (and it works fine): iptables -t nat -A POSTROUTING -s 10/8 -o eth0 -j SNAT --to ... ## Per-user rules, created upon login and deleted upon logout. # # One class per interface. N is some arbitrary number. tc class add dev eth1 parent 1: classid 1:N htb rate ... ceil ... tc class add dev eth0 parent 1: classid 1:N htb rate ... ceil ... # Mark traffic from host A.B.C.D with a unique mark 0xABCD. iptables -t mangle -I PREROUTING 1 -i eth1 -s A.B.C.D -j MARK --set-mark 0xABCD iptables -t mangle -I PREROUTING 2 -i eth1 -s A.B.C.D -j RETURN # Classify outgoing traffic by mark; incoming by private destination. tc filter add dev eth0 parent 1: protocol ip handle 0xABCD fw classid 1:N tc filter add dev eth1 parent 1: protocol ip u32 match ip dst A.B.C.D flowid 1:N My problem is with efficiently discarding all unmarked traffic. I am now doing this as follows: # This goes after all the per-user "good mark" rules: iptables -t mangle -A PREROUTING -j MARK --set-mark 0xfffffff # And this throws away "bad mark" packets. tc filter add dev eth0 parent 1: protocol ip handle 0xfffffff fw \ police mpu 0 mtu 1 action drop/drop This works fine, but I'd love to hear any suggestions about how to do it in a better way. (I tried a few other approaches, such as having a rule in filter/FORWARD that ACCEPTed only "-m mark \! --mark 0" packets, but that and similar solutions that are O(1) in the number of hosts did not work as I expected, due to the persistence of conntrack entries.) Questions, comments, and suggestions are welcome. -- ams _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/