Hi,
I have the following
situation here with Linux 2.4.2, iptables 1.2.1a+tc.
The box has 2
ethernet interfaces:
eth0 is connected to
an adsl link with real ip address (213.174.10.162)
eth1 is connected to
the lan with internal addresses (192.168.20.1)
Users behind the
eth1 are connected with addresses 192.168.20.0/24 that are all masqueraded (with
SNAT) to the address of eth0.
I am trying to
traffic control all incoming and outgoing packets with tc
cbq.
If a user in the
eth1 lan is using a real IP address which is not masqueraded I have no
problem to mark packets with the mangle table.
If a user in the
eth1 lan is using the fake address then I can control the outgoing packets and
they are correctly marked, but all the incoming packets are not passing the
mangle table PREROUTING and not being marked at all. So I cannot control the
incoming traffic.
Here is a sample of
the configuration:
${IPTABLES} -t nat
-A POSTROUTING -s ${subnet} -d ! ${INTRANET_REMOTE} -o ${INET_IFACE} -j SNAT
--to 213.174.10.162
# MARK DOWNLOAD
packets from different IP addresses
echo -n "MARK DOWNLOAD packets"
${IPTABLES} -t mangle -A PREROUTING -d 213.174.10.169/32 -j MARK --set-mark 10169
${IPTABLES} -t mangle -A PREROUTING -s 213.174.10.169/32 -j MARK --set-mark 10169
echo -n "MARK DOWNLOAD packets"
${IPTABLES} -t mangle -A PREROUTING -d 213.174.10.169/32 -j MARK --set-mark 10169
${IPTABLES} -t mangle -A PREROUTING -s 213.174.10.169/32 -j MARK --set-mark 10169
${IPTABLES} -t
mangle -A PREROUTING -d 213.174.10.170/32 -j MARK --set-mark
10170
${IPTABLES} -t mangle -A PREROUTING -s 213.174.10.170/32 -j MARK --set-mark 10170
${IPTABLES} -t mangle -A PREROUTING -s 213.174.10.170/32 -j MARK --set-mark 10170
${IPTABLES} -t
mangle -A PREROUTING -d 192.168.20.201/32 -j MARK --set-mark
20201
${IPTABLES} -t mangle -A PREROUTING -s 192.168.20.201/32 -j MARK --set-mark 20201
${IPTABLES} -t mangle -A PREROUTING -s 192.168.20.201/32 -j MARK --set-mark 20201
${IPTABLES} -t
mangle -A PREROUTING -d 192.168.20.203/32 -j MARK --set-mark
20203
${IPTABLES} -t mangle -A PREROUTING -s 192.168.20.203/32 -j MARK --set-mark 20203
${IPTABLES} -t mangle -A PREROUTING -s 192.168.20.203/32 -j MARK --set-mark 20203
# iptables -L -t
mangle -v -n
Chain PREROUTING (policy ACCEPT 74910 packets, 19572002 bytes)
pkts bytes target prot opt in out source destination
10811 3390K MARK all -- * * 0.0.0.0/0 213.174.10.169 MARK set 0x27b9
10225 1255K MARK all -- * * 213.174.10.169 0.0.0.0/0 MARK set 0x27b9
19549 6873K MARK all -- * * 0.0.0.0/0 213.174.10.170 MARK set 0x27ba
16096 1949K MARK all -- * * 213.174.10.170 0.0.0.0/0 MARK set 0x27ba
0 0 MARK all -- * * 0.0.0.0/0 192.168.20.201 MARK set 0x4ee9
453 35261 MARK all -- * * 192.168.20.201 0.0.0.0/0 MARK set 0x4ee9
0 0 MARK all -- * * 0.0.0.0/0 192.168.20.203 MARK set 0x4eeb
3836 550K MARK all -- * * 192.168.20.203 0.0.0.0/0 MARK set 0x4eeb
Chain PREROUTING (policy ACCEPT 74910 packets, 19572002 bytes)
pkts bytes target prot opt in out source destination
10811 3390K MARK all -- * * 0.0.0.0/0 213.174.10.169 MARK set 0x27b9
10225 1255K MARK all -- * * 213.174.10.169 0.0.0.0/0 MARK set 0x27b9
19549 6873K MARK all -- * * 0.0.0.0/0 213.174.10.170 MARK set 0x27ba
16096 1949K MARK all -- * * 213.174.10.170 0.0.0.0/0 MARK set 0x27ba
0 0 MARK all -- * * 0.0.0.0/0 192.168.20.201 MARK set 0x4ee9
453 35261 MARK all -- * * 192.168.20.201 0.0.0.0/0 MARK set 0x4ee9
0 0 MARK all -- * * 0.0.0.0/0 192.168.20.203 MARK set 0x4eeb
3836 550K MARK all -- * * 192.168.20.203 0.0.0.0/0 MARK set 0x4eeb
As you can see those
marks with destination to 192.168.20.xxx do not show any packets, so the users
are getting uncontrolled traffic.
If anyone has that
problem, please let me know.
Thank
you,
Kalin
Bogatzevski.
