hi, > For a packet coming in (existing MASQUERADED connection): > -- External Network -- > PREROUTING (mangle) > << Because the nat table has been consulted when the connection is > established it is not checked again, however the packet is is automagically > deMASQUERADED at this point>> > FORWARD (filter) > -- Internal Nework -- > i tried with this comand to c how things work on MASQURADED pkts. iptables -t mangle -A PREROUTING -i eth0 -s 202.x.x.x/26 -d 10.0.0.0/8 -j MARK --set-mark 94 iptables -t mangle -A PREROUTING -i eth4 -s 10.0.0.0/8 -s 202.x.x.x/26 -j MARK --set-mark 90 iptables -nvL PREROUTING -t mangle does NOT show any pkts passing marked 94 while for mark 90 its ok !.. I tried this even with FORWARD & OUTPUT and with bandwidth (iproute)commands.. pkts going to destination 10.0.0.0 does pass thru the FORWARD & OUTPUT hence are definitly being marked but am not able to do any traffic control on them( tc -s class ls dev eth0 ... & eth4 doesnt shows any pkts passing ) ! so i thought might be unable to do it b'coz of private ip& MASQUERADING.. so i tried handling the dial-up ips from RAS(203.x.x.128/25) on eth3.. the result were same !!.. however for our office network behind eth1 im able to mark pkts & control bandwidth accordingly--the office network is 203.x.x.x/25 & eth1 has ip 203.x.x.1/26 showing the results for our office marked packets i was able to convince the usage iptables/iproute with linux box instead of buying a layer3-4 switch but now am stuck how to make it working for other ip block & hence convince management once again ! .. im using RH7.2 with kernel 2.4.18-pre9 with iptables 1.2.5 & iproute 0801 !! i will really really really be thankful for ur help! thanking in advance A.H