On Sunday 05 January 2003 01:37 pm, Jean-Francois Nadeau wrote: > Hi, > > Let say you have a proxy behind a firewall on your LAN. > You use SNAT or MASQUERADING to give Internet access to your proxy. > You also want to do some Qos (CBQ + U32) to shape traffic coming from > the net to the proxy. > > The goal is to mark a packet returning from an exernal host to the > proxy. > > The OUTPUT chain can not be used to mangle packets as they were not > generated locally. > The FORWARD and POSTROUTING chains cant be used with the mangle table. > The PREROUTING chain offers no match as the packet is targetted at the > SNAT IP. > > The problem is: I can not mark a packet in order to match a shaping > class. > > Anyone has an idea on how to do the trick ? > > Any reason why the FORWARD chain cant be used with the mangle table ? It CAN. The mangle table has PREROUTING, FORWARD POSTROUTING, INPUT and OUTPUT chains available, at least since v1.2.5, possibly earlier. See http://iptables-tutorial.frozentux.net/chunkyhtml/traversingoftables.html . For 'returning' traffic from external host to proxy something like this might work: iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED \ -d $PROXYIP -i $EXTIF -p tcp --sport 80 -j MARK --set-mark 2 where PROXYIP and EXTIF are self-explanatory. I used ESTABLISHED since you specified "returning" in your scenario above. If that's not what you really want, just drop the state match and run with the rest. I used '--sport 80' presuming that by 'returning' traffic you intend to catch replies from external web servers, but of course any match would be usable here, dport, sport, etc. j
