Marking and Mangling for QoS
Joel Newkirk
netfilter@newkirk.us
Mon, 25 Nov 2002 08:50:00 -0500
On Monday 25 November 2002 05:24 am, COUSIN Marc wrote:
> Hi,
> I'm having trouve using mangling on NATed packets:
> # For the NAT
> iptables -t nat -A PREROUTING -p tcp --destination-port 8081:8090 -j DN=
AT
> --to-destination 89.131.0.7:8080
> iptables -t nat -A POSTROUTING -p tcp --destination 89.131.0.7 -j SNAT
> --to-source 89.131.0.58
> # For the marks
> iptables -A PREROUTING -t mangle -p tcp --destination-port 8081 -j MARK
> --set-mark 10
> iptables -A POSTROUTING -t mangle -p tcp --source-port 8081 -j MARK
> --set-mark 11 # Trying to match the return NATed packet
>
>
> The --set-mark 10 works (no surprise, very simple rule in fact)
> the --set-mark 11 doesn't match. It may be normal, as I'm trying to mat=
ch a
> return packet on a NAT connexion. How am I supposed to match the return
> packet in such a situation ?
Try putting it in PREROUTING instead of POSTROUTING. PREROUTING is for=20
packets as they enter the firewall, regardless of the direction they are=20
travelling. POSTROUTING is just before it leaves the firewall. =20
j