* SNAT and marked packets
@ 2004-06-08 22:52 Martin Treusch von Buttlar
0 siblings, 0 replies; only message in thread
From: Martin Treusch von Buttlar @ 2004-06-08 22:52 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1186 bytes --]
Hi,
I'd like to use two different source addresses depending on marks set
beforehand. Currently I use the following rules to mark the requested
packets:
iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 0x8
iptables -t mangle -A PREROUTING -p ah -j MARK --set-mark 0x8
and later on I try to do SNAT with
iptables -t nat -A POSTROUTING -o ppp0 -s 10.14.0.0/16 -m mark --mark 0x8 -j SNAT --to-source IP1
iptables -t nat -A POSTROUTING -o ppp0 -s 10.14.0.0/16 -j SNAT --to-source IP2
but the third rule is never touched. Every packet is natted with the
last rule. My goal is to let marked packages be natted over IP1 and
other packets be natted over IP2.
Packet marking works, though, as I use a rule like this to do some
further filtering:
iptables -t mangle -A PREROUTING -d \! 10.0.0.0/8 -m mark --mark 0x8 -j trusted-mangle
. The counter for this rule is incremented as expected.
I am using debian sarge; Linux kernel 2.6.4 from the official debian
repositories. To help further I have attached a slightly edited version
of my iptables-save (intentional holes have been pruned :)
Thanks in advance
Martin
PS: Please cc me, as I am not subscribed to netfilter@
[-- Attachment #2: iptables-save --]
[-- Type: text/plain, Size: 5736 bytes --]
# Generated by iptables-save v1.2.9 on Wed Jun 9 00:44:05 2004
*mangle
:PREROUTING ACCEPT [1314947:446138319]
:INPUT ACCEPT [369454:53258434]
:FORWARD ACCEPT [945437:392876043]
:OUTPUT ACCEPT [75339:32309551]
:POSTROUTING ACCEPT [1014311:438493194]
:trusted-mangle - [0:0]
-A PREROUTING -p icmp -j MARK --set-mark 0x1
-A PREROUTING -p icmp -j RETURN
-A PREROUTING -i eth0 -j MARK --set-mark 0x8
-A PREROUTING -i eth0 -j RETURN
-A PREROUTING -p esp -j MARK --set-mark 0x8
-A PREROUTING -p esp -j RETURN
-A PREROUTING -p ah -j MARK --set-mark 0x8
-A PREROUTING -p ah -j RETURN
-A PREROUTING -d ! 10.0.0.0/255.0.0.0 -m mark --mark 0x8 -j trusted-mangle
-A PREROUTING -d ! 10.0.0.0/255.0.0.0 -m mark --mark 0x8 -j RETURN
-A PREROUTING -d ! 10.0.0.0/255.0.0.0 -m mark --mark 0x1 -j RETURN
-A PREROUTING -d ! 10.0.0.0/255.0.0.0 -m mark --mark 0x2 -j RETURN
-A PREROUTING -d ! 10.0.0.0/255.0.0.0 -i eth1 -j MARK --set-mark 0x4
-A trusted-mangle -p tcp -m tos --tos Minimize-Delay -j MARK --set-mark 0x1
-A trusted-mangle -p tcp -m tos --tos Minimize-Delay -j RETURN
-A trusted-mangle -j MARK --set-mark 0x2
COMMIT
# Completed on Wed Jun 9 00:44:05 2004
# Generated by iptables-save v1.2.9 on Wed Jun 9 00:44:05 2004
*nat
:PREROUTING ACCEPT [11314:986997]
:POSTROUTING ACCEPT [15170:969752]
:OUTPUT ACCEPT [16320:1141367]
-A POSTROUTING -s 10.14.1.0/255.255.255.0 -o ippp+ -j MASQUERADE
-A POSTROUTING -s 10.14.2.0/255.255.255.0 -o ippp+ -j MASQUERADE
-A POSTROUTING -s 10.14.1.0/255.255.255.0 -o isdn+ -j MASQUERADE
-A POSTROUTING -s 10.14.0.0/255.255.0.0 -o ppp0 -m mark --mark 0x8 -j SNAT --to-source 213.240.181.33
-A POSTROUTING -s 10.14.0.0/255.255.0.0 -o ppp0 -j SNAT --to-source 82.139.200.196
-A POSTROUTING -s 10.14.0.0/255.255.0.0 -o ppp+ -j MASQUERADE
COMMIT
# Completed on Wed Jun 9 00:44:05 2004
# Generated by iptables-save v1.2.9 on Wed Jun 9 00:44:05 2004
*filter
:INPUT DROP [692:122913]
:FORWARD DROP [2789:439294]
:OUTPUT DROP [0:0]
:input-wlan - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -m udp --dport 61000:65095 -j ACCEPT
-A INPUT -d 255.255.255.255 -i eth0 -j ACCEPT
-A INPUT -d 255.255.255.255 -i eth1 -j ACCEPT
-A INPUT -d 255.255.255.255 -i eth2 -j ACCEPT
-A INPUT -i eth1 -j input-wlan
-A INPUT -s 10.13.0.0/255.255.0.0 -i isdn0 -j ACCEPT
-A INPUT -d 213.240.181.33 -p udp -m udp --sport 53 --dport 53 -j ACCEPT
-A INPUT -i ppp0 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -j LOG --log-prefix "INPUT "
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i ppp0 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -d 127.0.0.0/255.0.0.0 -j ACCEPT
-A FORWARD -s 127.0.0.0/255.0.0.0 -j ACCEPT
-A FORWARD -s 10.14.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A FORWARD -s 10.14.2.0/255.255.255.0 -i eth1 -j ACCEPT
-A FORWARD -s 172.16.0.0/255.255.0.0 -i eth2 -j ACCEPT
-A FORWARD -s 10.13.0.0/255.255.0.0 -i isdn0 -j ACCEPT
-A FORWARD -d 10.14.1.0/255.255.255.0 -i ppp0 -j ACCEPT
-A FORWARD -d 10.14.2.0/255.255.255.0 -i ppp0 -j ACCEPT
-A FORWARD -s 213.240.181.33 -i ppp0 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 5 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD "
-A OUTPUT -d 10.14.2.0/255.255.255.0 -o eth1 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.14.1.0/255.255.255.0 -o eth0 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 10.14.1.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -d 10.14.2.0/255.255.255.0 -o eth1 -j ACCEPT
-A OUTPUT -d 172.16.0.0/255.255.0.0 -o eth2 -j ACCEPT
-A OUTPUT -d 10.13.0.0/255.255.0.0 -o isdn0 -j ACCEPT
-A OUTPUT -s 213.240.181.33 -o ppp0 -j ACCEPT
-A OUTPUT -s 10.14.1.1 -o ppp0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "OUTPUT "
-A input-wlan -s 10.14.2.0/255.255.255.0 -d 10.14.2.1 -i eth1 -p udp -m udp --dport 500 -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p icmp -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -d 10.14.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p udp -m udp --dport 53 -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -d 10.14.2.1 -i eth1 -p tcp -m tcp --dport 631 -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 993 -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 995 -j ACCEPT
-A input-wlan -m mark --mark 0x8 -j ACCEPT
-A input-wlan -j LOG --log-prefix "INPUT-WLAN "
-A input-wlan -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed Jun 9 00:44:05 2004
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2004-06-08 22:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-06-08 22:52 SNAT and marked packets Martin Treusch von Buttlar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.