From: "Kalin Bogatzevski" <kalin@biscom.net>
To: lartc@vger.kernel.org
Subject: [LARTC] mangle table can't mark incoming packets if using SNAT
Date: Fri, 30 Mar 2001 11:39:10 +0000 [thread overview]
Message-ID: <marc-lartc-98595247125807@msgid-missing> (raw)
[-- Attachment #1: Type: text/plain, Size: 2894 bytes --]
Hi,
I have the following situation here with Linux 2.4.2, iptables 1.2.1a+tc.
The box has 2 ethernet interfaces:
eth0 is connected to an adsl link with real ip address (213.174.10.162)
eth1 is connected to the lan with internal addresses (192.168.20.1)
Users behind the eth1 are connected with addresses 192.168.20.0/24 that are
all masqueraded (with SNAT) to the address of eth0.
I am trying to traffic control all incoming and outgoing packets with tc
cbq.
If a user in the eth1 lan is using a real IP address which is not
masqueraded I have no problem to mark packets with the mangle table.
If a user in the eth1 lan is using the fake address then I can control the
outgoing packets and they are correctly marked, but all the incoming packets
are not passing the mangle table PREROUTING and not being marked at all. So
I cannot control the incoming traffic.
Here is a sample of the configuration:
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -d ! ${INTRANET_REMOTE} -o
${INET_IFACE} -j SNAT --to 213.174.10.162
# MARK DOWNLOAD packets from different IP addresses
echo -n "MARK DOWNLOAD packets"
${IPTABLES} -t mangle -A PREROUTING -d 213.174.10.169/32 -j MARK --set-mark
10169
${IPTABLES} -t mangle -A PREROUTING -s 213.174.10.169/32 -j MARK --set-mark
10169
${IPTABLES} -t mangle -A PREROUTING -d 213.174.10.170/32 -j MARK --set-mark
10170
${IPTABLES} -t mangle -A PREROUTING -s 213.174.10.170/32 -j MARK --set-mark
10170
${IPTABLES} -t mangle -A PREROUTING -d 192.168.20.201/32 -j MARK --set-mark
20201
${IPTABLES} -t mangle -A PREROUTING -s 192.168.20.201/32 -j MARK --set-mark
20201
${IPTABLES} -t mangle -A PREROUTING -d 192.168.20.203/32 -j MARK --set-mark
20203
${IPTABLES} -t mangle -A PREROUTING -s 192.168.20.203/32 -j MARK --set-mark
20203
# iptables -L -t mangle -v -n
Chain PREROUTING (policy ACCEPT 74910 packets, 19572002 bytes)
pkts bytes target prot opt in out source
destination
10811 3390K MARK all -- * * 0.0.0.0/0
213.174.10.169 MARK set 0x27b9
10225 1255K MARK all -- * * 213.174.10.169
0.0.0.0/0 MARK set 0x27b9
19549 6873K MARK all -- * * 0.0.0.0/0
213.174.10.170 MARK set 0x27ba
16096 1949K MARK all -- * * 213.174.10.170
0.0.0.0/0 MARK set 0x27ba
0 0 MARK all -- * * 0.0.0.0/0
192.168.20.201 MARK set 0x4ee9
453 35261 MARK all -- * * 192.168.20.201
0.0.0.0/0 MARK set 0x4ee9
0 0 MARK all -- * * 0.0.0.0/0
192.168.20.203 MARK set 0x4eeb
3836 550K MARK all -- * * 192.168.20.203
0.0.0.0/0 MARK set 0x4eeb
As you can see those marks with destination to 192.168.20.xxx do not show
any packets, so the users are getting uncontrolled traffic.
If anyone has that problem, please let me know.
Thank you,
Kalin Bogatzevski.
[-- Attachment #2: Type: text/html, Size: 7756 bytes --]
reply other threads:[~2001-03-30 11:39 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-98595247125807@msgid-missing \
--to=kalin@biscom.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox