Mark packets after NAT

[Henrik Nordstrom]

Jorge Rocha wrote:

>          When i try to run this config, i only get packets going from
> 192.168.99.0/24 marked, but i can't mark packets from internet to
> 192.168.99.0/24. I think that's happening because the packet travel first
> on the mangle table and then on nat table. So, my question is: how i can
> mark packets after it travel on nat table?

Don't think this is possible with the stock iptables, unless you NAT to
another address/port range than non-NAT:ed traffic allowing you to mark before
return traffic de-NAT:ed.

If separating the traffic on the external address(es) is not possible, then
maybe you can use the extended mangle table providing you with more mangle
hooks, or you can for sure use one of the connection mark/tag patches posted
on netfilter-devel to mark sessions (I posted one patch using fwmark compatibe
values, and there is another using textual marks posted not too long ago).

Note: Harald have announced that the connection mark/tag patches will not be
usable in a future iptables release due to a planned change of
mangle/conntrack priorities moving mangle to run before conntrack (and hence
any connection information won't then be available in mangle).

--
Henrik Nordstrom
MARA Systems