Happy New Year. Finally got my fw and tc rules down pat for the bridge, now interested in introducing a third nic to have nat on the box as well. Does anyone have a idea of a good place to start reading up on the subject, mainly interested in how to setup the flow direction to start with as to get a overall understanding of the flow, found that help best. Internet --- eth0 --- eth1 --- bridge(eth0/eth1) Now trying... Internet --- eth0 --- eth1 --- bridge (eth0/eth1) |----- eth2 --- nat (eth0/eth2) Would this be how it is done (started at least ;) )? Please advise? # create the required tables and route traffic to them /sbin/iptables -t mangle -N server-all /sbin/iptables -t mangle -N server-all-chains /sbin/iptables -t mangle -N server-prerouting /sbin/iptables -t mangle -A PREROUTING -j server-prerouting /sbin/iptables -t mangle -A server-prerouting -j CONNMARK --restore-mark # bridge traffic - input (eth0 -> eth1) /sbin/tc qdisc add dev eth1 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth0 --physdev-out eth1-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth0 physdev-out eth1 -j server-all-chains /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # bridge traffic - output (eth1 -> eth0) /sbin/tc qdisc add dev eth0 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth1 --physdev-out eth0-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth1 --physdev-out eth0 -j server-all-chains /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - input (eth0 -> eth2) /sbin/tc qdisc add dev eth1 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth0 --physdev-out eth2-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth0 physdev-out eth2 -j server-all-chains /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - output (eth0 -> eth2) /sbin/tc qdisc add dev eth0 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth2 --physdev-out eth0-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth2 --physdev-out eth0 -j server-all-chains /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - input (eth2 -> eth1) /sbin/tc qdisc add dev eth1 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth1 --physdev-out eth2-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth1 physdev-out eth2 -j server-all-chains /sbin/tc class add dev eth1 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth1 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 # nat traffic - output (eth1 -> eth2) /sbin/tc qdisc add dev eth0 handle 1: root htb default 1 /sbin/iptables -t mangle -A server-prerouting -m physdev --physdev-in eth2 --physdev-out eth1-j protocop-all /sbin/iptables -t mangle -A POSTROUTING -m physdev --physdev-in eth2 --physdev-out eth1 -j server-all-chains /sbin/tc class add dev eth0 parent 1: classid 1:1 htb rate 3000Kbit /sbin/tc filter add dev eth0 parent 1:0 protocol all u32 match u32 0 0 classid 1:1 Then simply create the rules for all the classids? And have a fallback for each classid. Kind Regards William _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc