On a router, there is no need for and IMQ because there is always an egress path. For example: Internet -> eth1 -> iptables -> routing -> ... -> egress qdisc -> eth0 -> LAN LAN -> eth0 -> iptables -> routing -> .... -> egress qdisc -> eth1 -> Internet Local Process / Proxy -> routing -> iptables -> egress qdisc -> eth1/eth0 -> LAN/Internet So, All 'Incoming' Shaping would be done at eth0, and all 'Outgoing' Shaping would be done at eth1. The easiest solution, to prevent changing any of your local LAN related Traffic Shaping Rules, would be to use an iptables mark (-j MARK --set-mark) at PREROUTING, OUTPUT, or POSTROUTING to classify, by port, routed traffic from the Internet to the LAN, the LAN to the Internet, or the proxy to the Internet/LAN. Then, add to your qdisc a class with a filter based on the firewall mark. very easy! an example 'Outgoing' (LAN/Proxy to Internet) tc qdisc add dev eth1 root handle 1: htb default 2 tc class add dev eth1 1: classid 1:1 htb rate XXX ceil XXX tc class add dev eth1 parent 1:1 classid 1:2 htb rate XXX ceil XXX tc qdisc add dev eth1 parent 1:2 handle 2: sfq perturb 10 tc class add dev eth1 parent 1:1 classid 1:3 htb rate XXX ceil XXX tc qdisc add dev eth1 parent 1:3 handle 3: sfq perturb 10 tc class add dev eth1 parent 1:1 classid 1:4 htb rate XXX ceil XXX tc qdisc add dev eth1 parent 1:4 handle 4: sfq perturb 10 tc class add dev eth1 parent 1:1 classid 1:5 htb rate XXX ceil XXX tc qdisc add dev eth1 parent 1:5 handle 5: sfq perturb 10 tc filter add dev eth1 protocol ip parent 1: prio 1 handle 1 fw flowid 1:3 tc filter add dev eth1 protocol ip parent 1: prio 1 handle 2 fw flowid 1:4 tc filter add dev eth1 protocol ip parent 1: prio 1 handle 3 fw flowid 1:5 iptables -A OUTPUT -o eth1 -p tcp --dport 25 -j MARK --set-mark 1 iptables -A FORWARD -o eth1 -p tcp --dport 25 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 80 -j MARK --set-mark 2 iptables -A FORWARD -o eth1 -p tcp --dport 80 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 110 -j MARK --set-mark 3 iptables -A FORWARD -o eth1 -p tcp --dport 110 -j DROP so what happens? you have 4 classes, each with their own bandwidth rates and ceilings, sharing when they can. 3 of the 4 classes receive their flows based on destination port. the fourth is the default for all other traffic. iptables marks traffic coming from the Proxy destined for the Internet with a 1, 2, or 3 depending on port. iptables drops all related traffic on the FORWARD chain to prevent UNproxied traffic from getting to the internet. the 'Incoming rules shouldn't change much from the outgoing., there should just be another layer of classes to allow for normal, local ethernet traffic to and from the Local Processes on the Server/Router. i.e. DHCP, FTP, etc... Local Traffic should recieve what's left over when you subtract your internet bandwidth from your interface speed. Again, Firewall Marking will alleviate the problems associated with classifying local/internet traffic from tc. hope this helped a little! _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
