Hi, I think with the following rules you can get it done: iptables -t mangle -I PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1 iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 192.168.2.1 So each packet going through your router will first be marked if it comes from 192.168.1.0/24 (PREROUTING) and after routing and tc queuing it will be NATed (POSTROUTING). That works for marking packets going out of your network through your NATing box. To mark packets coming into your network, since mangle only has PREROUTING and OUTPUT, it could be done with this: iptables -t mangle -I PREROUTING -s 192.168.2.1/32 -j MARK --set-mark 2 It marks the packets before they are deNATed, but works asuming that no traffic is comming directly to your NAT box, or these will be marked as well. These examples seemed to work on a test router here (only I used marking TOS so I could watch it with tcpdump, outgoing packets marked with TOS 0x2 and incoming with TOS 0x4): On client 192.168.1.99 made a "ping altavista.com -n -c 1". Router is 192.168.2.1 (there is other NAT after it, but doesn't affect it). 13:40:12.446406 eth1 < 192.168.1.99 > 209.73.180.2: icmp: echo request (DF) [tos 0x2,ECT] (ttl 64, id 0) 13:40:12.446440 eth0 > 192.168.2.1 > 209.73.180.2: icmp: echo request (DF) [tos 0x2,ECT] (ttl 63, id 0) 13:40:12.554895 eth0 < 209.73.180.2 > 192.168.1.99: icmp: echo reply [tos 0x4] (ttl 241, id 56493) 13:40:12.554916 eth1 > 209.73.180.2 > 192.168.1.99: icmp: echo reply [tos 0x4] (ttl 240, id 56493) Hope this helps. Cheers, Rodrigo On Wed, May 16, 2001 at 04:32:00PM +0200, Jaco van der Schyff wrote: > Greetings earthlings, > > I am batteling to get NATted packets marked with iptables, > to shape them later using the fw filter. > > Has anyone tried to mark packets that are masqueraded, or > to shape masqueraded connections? > > It doesn't seem to work. > > If any knows what to do, please help. > > Regards > > - Jaco van der Schyff > jvds@xxxxxxxxxxxxxx > > +27 12 803 7591 > +27 12 803 7285 (f) > +27 83 680 4922 (mobile) > > f6e2eb48937f22e159a408c84533cdcb > > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
