I have the next config in a firewall:
[router]
|
[Firewall]
eth0: 200.x.x.x (public address)
eth1: 192.168.44.1 (private address)
|
[LAN] (192.168.44.0/24)
The router has a DS0 with 64kbit connection to internet(yes, that slow)
and the firewall makes nat to the private class.
I want that port 25 traffic(MTA) always have 4kbps and port 80 traffic,
another 4kbps.
I made this:
tc qdisc add dev eth0 root handle 1: htb default 12
tc class add dev eth0 parent 1: classid 1:1 htb rate 8kbps ceil 8kbps
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 4kbps ceil 8kbps
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 4kbps ceil 8kbps
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src \
192.168.44.0/24 match ip dport 25 0xffff flowid 1:10
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src \
192.168.44.0/24 match ip dport 80 0xffff flowid 1:11
But from a machine of the class 192.168.44 (fw as gateway) I made a test
to an external http server and had no limit on port 80 traffic.
What can be wrong?
Is it necessary to add the same rules with eth1?
Omar
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Omar Armas wrote:> [router] > | > [Firewall] > eth0: 200.x.x.x (public address) > eth1: 192.168.44.1 (private address) > | > [LAN] (192.168.44.0/24) > tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src \ > 192.168.44.0/24 match ip dport 25 0xffff flowid 1:10 > tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 match ip src \ > 192.168.44.0/24 match ip dport 80 0xffff flowid 1:11 > > > But from a machine of the class 192.168.44 (fw as gateway) I made a test > to an external http server and had no limit on port 80 traffic.The htb qdisc is going to rate limit the traffic _leaving_ the interface. so the rules you''ve created above will only slow down the HTTP requests to the internet, not the HTTP data downloaded from the external servers.> Is it necessary to add the same rules with eth1?I think you should be able to move them all to eth1, and remove them from eth0. You''ll also want to change the ''src'' to ''dst''. regards. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/