From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?unknown-8bit?q?Drago=C2=BA_Cintez=C3=A3?= Date: Sat, 04 Oct 2003 15:31:05 +0000 Subject: [LARTC] Client firewall scrueing up bandwith shapeing Message-Id: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Hi Here=92s the deal: I have a LAN behind a linux box. The Linux box acts as a NAT to all the hosts behind it. I'm classifying my hosts with iptables: /sbin/iptables -t mangle -A INPUT --in-interface $GREEN_DEV -s 192.168.1.1 = -j MARK --set-mark 1=20 ... /sbin/iptables -t mangle -A INPUT --in-interface $GREEN_DEV -s 192.168.1.7 = -j MARK --set-mark 7=20 /sbin/iptables -t mangle -A OUTPUT --out-interface $GREEN_DEV -d 192.168.1.= 1 -j MARK --set-mark 1=20 ... /sbin/iptables -t mangle -A OUTPUT --out-interface $GREEN_DEV -d 192.168.1.= 7 -j MARK --set-mark 7=20 /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168= .1.1 -j MARK --set-mark 1=20 ... /sbin/iptables -t mangle -A PREROUTING --in-interface $GREEN_DEV -s 192.168= .1.7 -j MARK --set-mark 7=20 /sbin/iptables -t mangle -A POSTROUTING --out-interface $GREEN_DEV -d 192.1= 68.1.1 -j MARK --set-mark 1=20 ... /sbin/iptables -t mangle -A POSTROUTING --out-interface $GREEN_DEV -d 192.1= 68.1.7 -j MARK --set-mark 7 Then I want to give everybody a rate of 18kbit # clean existing down- and uplink qdiscs, hide errors=20 tc qdisc del dev eth1 root 2> /dev/null > /dev/null=20 tc qdisc del dev eth0 root 2> /dev/null > /dev/null=20 tc qdisc add dev eth1 root handle 10: htb=20 tc class add dev eth1 parent 10: classid 10:10 htb rate 125kbit ceil 128kbi= t burst 4k=20 tc class add dev eth1 parent 10:10 classid 10:1 htb rate 18kbit ceil 128kbi= t prio 2 burst 4k=20 tc qdisc add dev eth1 parent 10:1 handle 1: sfq perturb 10=20 tc filter add dev eth1 parent 10: protocol ip handle 1 fw classid 10:1=20 tc filter add dev eth1 parent 10: protocol ip prio 2 u32 match ip src 192.1= 68.1.1 flowid 10:1=20 tc filter add dev eth1 parent 10: protocol ip prio 3 u32 match ip dst 192.1= 68.1.1 flowid 10:1 ... with hosts 2 to 7 works fine, while bandwidth of host 1 it is not shaped at= all (all pakets go to default-root qdisc) The 192.168.1 is runing win xp and Zone Alarm firewall. Most of the hosts a= re runing WinXP with no problem. My question: Can it be that the packets are not being identified corectly b= ecause of the ZA firewall on Host 1? I had problems before with host 1 that blocked some ports with ZA that had = the result of freazing the workgroup while it was online. that problem was fixed anyway.=20 Now please dont ask me to try to disable the ZA firewall because i have no = access to host1. And another thing: iptraf shows corectly that trafic is made from host 1 an= d its rate. Thanks =20 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/