Your burst value may be too high. Ideally it should be somewhere between 10k and 100k,
depending on the rate of traffic you want. I'd say try around 15k for 1Mbps of traffic. I
normally reserve the full 100k for more than about 250Mbps of traffic.
However, if your worried about DoS attacks, this will not stop it, as it will only protect
the services on the server from receiving too much traffic. The traffic will have already
reached the server and if it's flooding your port, then this will not help.
It seems that tc is not much good at throttling low values after lots of testing, not to
worry 256kbps is pretty low these days and that works fine.
Do you reduce the burst while you reduce the rate? Having a large burst might cause bad
interference with the TCP congestion algorithm (wild guess).
Do you really need to do that on the ingress? You could also mark packets coming from eth0
and use that as a basis for classifying on the egress discipline of the interface where
10.10.10.10 is to be reached via. That would mean you could do shaping rather than policing.
You may also want to consider IMQ instead. You could also try using just iptables -m limit.