From: Rodrigo Goya <rgoya@linuxcenter.com.mx>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Marking packets for shaping
Date: Thu, 17 May 2001 20:04:41 +0000 [thread overview]
Message-ID: <marc-lartc-99012986030378@msgid-missing> (raw)
In-Reply-To: <marc-lartc-99002340108447@msgid-missing>
Hi,
I think with the following rules you can get it done:
iptables -t mangle -I PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1
So each packet going through your router will first be marked if it comes from 192.168.1.0/24 (PREROUTING) and after routing and tc queuing it will be NATed (POSTROUTING).
That works for marking packets going out of your network through your NATing box.
To mark packets coming into your network, since mangle only has PREROUTING and OUTPUT, it could be done with this:
iptables -t mangle -I PREROUTING -s 192.168.2.1/32 -j MARK --set-mark 2
It marks the packets before they are deNATed, but works asuming that no traffic is comming directly to your NAT box, or these will be marked as well.
These examples seemed to work on a test router here (only I used marking TOS so I could watch it with tcpdump, outgoing packets marked with TOS 0x2 and incoming with TOS 0x4):
On client 192.168.1.99 made a "ping altavista.com -n -c 1". Router is 192.168.2.1 (there is other NAT after it, but doesn't affect it).
13:40:12.446406 eth1 < 192.168.1.99 > 209.73.180.2: icmp: echo request (DF) [tos 0x2,ECT] (ttl 64, id 0)
13:40:12.446440 eth0 > 192.168.2.1 > 209.73.180.2: icmp: echo request (DF) [tos 0x2,ECT] (ttl 63, id 0)
13:40:12.554895 eth0 < 209.73.180.2 > 192.168.1.99: icmp: echo reply [tos 0x4] (ttl 241, id 56493)
13:40:12.554916 eth1 > 209.73.180.2 > 192.168.1.99: icmp: echo reply [tos 0x4] (ttl 240, id 56493)
Hope this helps.
Cheers,
Rodrigo
On Wed, May 16, 2001 at 04:32:00PM +0200, Jaco van der Schyff wrote:
> Greetings earthlings,
>
> I am batteling to get NATted packets marked with iptables,
> to shape them later using the fw filter.
>
> Has anyone tried to mark packets that are masqueraded, or
> to shape masqueraded connections?
>
> It doesn't seem to work.
>
> If any knows what to do, please help.
>
> Regards
>
> - Jaco van der Schyff
> jvds@netgroup.co.za
>
> +27 12 803 7591
> +27 12 803 7285 (f)
> +27 83 680 4922 (mobile)
>
> f6e2eb48937f22e159a408c84533cdcb
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
prev parent reply other threads:[~2001-05-17 20:04 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-05-16 14:32 [LARTC] Marking packets for shaping Jaco van der Schyff
2001-05-16 14:40 ` Ramin Alidousti
2001-05-16 14:52 ` Jaco van der Schyff
2001-05-16 15:07 ` Ramin Alidousti
2001-05-16 22:23 ` Ramin Alidousti
2001-05-16 23:19 ` johan
2001-05-16 23:30 ` Ramin Alidousti
2001-05-17 10:44 ` johan
2001-05-17 10:47 ` johan
2001-05-17 11:24 ` Ramin Alidousti
2001-05-17 12:41 ` johan
2001-05-17 12:52 ` Ramin Alidousti
2001-05-17 20:04 ` Rodrigo Goya [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-99012986030378@msgid-missing \
--to=rgoya@linuxcenter.com.mx \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.