Hi All,

I also posted this in alt.comp.networking.firewalls but as it see's few
posts I thought I would ask here also.

Im looking for some advice on something im trying to implement on a
network gateway.

There is one machine which I would like to throttle it's bandwidth. I
have marked all traffic from that IP address using iptables and I can
see the packets being marked.

The tc rules should allow any traffic a maximum transfer rate of
500kbit/s unless it comes from the marked traffic which should be
limited to 25kbit/s. The rules below work in a sense !

I can adjust the speed any traffic can browse by altering the classid
1:10 row (altering 500 to 100 for example). So the limiting does work.
but only for all clients. It doesn't appear to pick up on the marked

I'd be really grateful if someone is able to shed some light on this for me.



iptables -t mangle -F PREROUTING

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -A PREROUTING -t mangle -p tcp -s -j MARK --set-mark 0x29
iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark

tc qdisc del dev eth0 root
tc qdisc add dev eth0 root handle 1: htb default 10
tc class add dev eth0 parent 1: classid 1:1 htb rate 512kbit ceil 512kbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 500kbit ceil
500kbit prio 0
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 25kbit ceil
25kbit prio 1
tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth0 parent 1:20 handle 20: sfq perturb 10
tc filter add dev eth0 parent 1: protocol ip handle 0x29 fw classid 1:20