SNAT and marked packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I'd like to use two different source addresses depending on marks set
beforehand. Currently I use the following rules to mark the requested
packets:
  iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 0x8
  iptables -t mangle -A PREROUTING -p ah -j MARK --set-mark 0x8
and later on I try to do SNAT with
  iptables -t nat -A POSTROUTING -o ppp0 -s 10.14.0.0/16 -m mark --mark 0x8 -j SNAT --to-source IP1
  iptables -t nat -A POSTROUTING -o ppp0 -s 10.14.0.0/16 -j SNAT --to-source IP2
but the third rule is never touched. Every packet is natted with the
last rule. My goal is to let marked packages be natted over IP1 and
other packets be natted over IP2.

Packet marking works, though, as I use a rule like this to do some
further filtering:
  iptables -t mangle -A PREROUTING -d \! 10.0.0.0/8 -m mark --mark 0x8 -j trusted-mangle
. The counter for this rule is incremented as expected.

I am using debian sarge; Linux kernel 2.6.4 from the official debian
repositories. To help further I have attached a slightly edited version
of my iptables-save (intentional holes have been pruned :)

Thanks in advance

Martin

PS: Please cc me, as I am not subscribed to netfilter@

# Generated by iptables-save v1.2.9 on Wed Jun  9 00:44:05 2004
*mangle
:PREROUTING ACCEPT [1314947:446138319]
:INPUT ACCEPT [369454:53258434]
:FORWARD ACCEPT [945437:392876043]
:OUTPUT ACCEPT [75339:32309551]
:POSTROUTING ACCEPT [1014311:438493194]
:trusted-mangle - [0:0]
-A PREROUTING -p icmp -j MARK --set-mark 0x1 
-A PREROUTING -p icmp -j RETURN 
-A PREROUTING -i eth0 -j MARK --set-mark 0x8 
-A PREROUTING -i eth0 -j RETURN 
-A PREROUTING -p esp -j MARK --set-mark 0x8 
-A PREROUTING -p esp -j RETURN 
-A PREROUTING -p ah -j MARK --set-mark 0x8 
-A PREROUTING -p ah -j RETURN 
-A PREROUTING -d ! 10.0.0.0/255.0.0.0 -m mark --mark 0x8 -j trusted-mangle 
-A PREROUTING -d ! 10.0.0.0/255.0.0.0 -m mark --mark 0x8 -j RETURN 
-A PREROUTING -d ! 10.0.0.0/255.0.0.0 -m mark --mark 0x1 -j RETURN 
-A PREROUTING -d ! 10.0.0.0/255.0.0.0 -m mark --mark 0x2 -j RETURN 
-A PREROUTING -d ! 10.0.0.0/255.0.0.0 -i eth1 -j MARK --set-mark 0x4 
-A trusted-mangle -p tcp -m tos --tos Minimize-Delay -j MARK --set-mark 0x1 
-A trusted-mangle -p tcp -m tos --tos Minimize-Delay -j RETURN 
-A trusted-mangle -j MARK --set-mark 0x2 
COMMIT
# Completed on Wed Jun  9 00:44:05 2004
# Generated by iptables-save v1.2.9 on Wed Jun  9 00:44:05 2004
*nat
:PREROUTING ACCEPT [11314:986997]
:POSTROUTING ACCEPT [15170:969752]
:OUTPUT ACCEPT [16320:1141367]
-A POSTROUTING -s 10.14.1.0/255.255.255.0 -o ippp+ -j MASQUERADE 
-A POSTROUTING -s 10.14.2.0/255.255.255.0 -o ippp+ -j MASQUERADE 
-A POSTROUTING -s 10.14.1.0/255.255.255.0 -o isdn+ -j MASQUERADE 
-A POSTROUTING -s 10.14.0.0/255.255.0.0 -o ppp0 -m mark --mark 0x8 -j SNAT --to-source 213.240.181.33 
-A POSTROUTING -s 10.14.0.0/255.255.0.0 -o ppp0 -j SNAT --to-source 82.139.200.196 
-A POSTROUTING -s 10.14.0.0/255.255.0.0 -o ppp+ -j MASQUERADE 
COMMIT
# Completed on Wed Jun  9 00:44:05 2004
# Generated by iptables-save v1.2.9 on Wed Jun  9 00:44:05 2004
*filter
:INPUT DROP [692:122913]
:FORWARD DROP [2789:439294]
:OUTPUT DROP [0:0]
:input-wlan - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -p udp -m state --state ESTABLISHED -m udp --dport 61000:65095 -j ACCEPT 
-A INPUT -d 255.255.255.255 -i eth0 -j ACCEPT 
-A INPUT -d 255.255.255.255 -i eth1 -j ACCEPT 
-A INPUT -d 255.255.255.255 -i eth2 -j ACCEPT 
-A INPUT -i eth1 -j input-wlan 
-A INPUT -s 10.13.0.0/255.255.0.0 -i isdn0 -j ACCEPT 
-A INPUT -d 213.240.181.33 -p udp -m udp --sport 53 --dport 53 -j ACCEPT 
-A INPUT -i ppp0 -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A INPUT -j LOG --log-prefix "INPUT " 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -i ppp0 -m state --state ESTABLISHED -j ACCEPT 
-A FORWARD -d 127.0.0.0/255.0.0.0 -j ACCEPT 
-A FORWARD -s 127.0.0.0/255.0.0.0 -j ACCEPT 
-A FORWARD -s 10.14.1.0/255.255.255.0 -i eth0 -j ACCEPT 
-A FORWARD -s 10.14.2.0/255.255.255.0 -i eth1 -j ACCEPT 
-A FORWARD -s 172.16.0.0/255.255.0.0 -i eth2 -j ACCEPT 
-A FORWARD -s 10.13.0.0/255.255.0.0 -i isdn0 -j ACCEPT 
-A FORWARD -d 10.14.1.0/255.255.255.0 -i ppp0 -j ACCEPT 
-A FORWARD -d 10.14.2.0/255.255.255.0 -i ppp0 -j ACCEPT 
-A FORWARD -s 213.240.181.33 -i ppp0 -j ACCEPT 
-A FORWARD -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A FORWARD -p icmp -m icmp --icmp-type 5 -j ACCEPT 
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A FORWARD -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A FORWARD -j LOG --log-prefix "FORWARD " 
-A OUTPUT -d 10.14.2.0/255.255.255.0 -o eth1 -m state --state ESTABLISHED -j ACCEPT 
-A OUTPUT -d 10.14.1.0/255.255.255.0 -o eth0 -m state --state ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -d 10.14.1.0/255.255.255.0 -o eth0 -j ACCEPT 
-A OUTPUT -d 10.14.2.0/255.255.255.0 -o eth1 -j ACCEPT 
-A OUTPUT -d 172.16.0.0/255.255.0.0 -o eth2 -j ACCEPT 
-A OUTPUT -d 10.13.0.0/255.255.0.0 -o isdn0 -j ACCEPT 
-A OUTPUT -s 213.240.181.33 -o ppp0 -j ACCEPT 
-A OUTPUT -s 10.14.1.1 -o ppp0 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 5 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A OUTPUT -j LOG --log-prefix "OUTPUT " 
-A input-wlan -s 10.14.2.0/255.255.255.0 -d 10.14.2.1 -i eth1 -p udp -m udp --dport 500 -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p icmp -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -d 10.14.0.0/255.255.0.0 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 53 -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p udp -m udp --dport 53 -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -d 10.14.2.1 -i eth1 -p tcp -m tcp --dport 631 -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 993 -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 110 -j ACCEPT 
-A input-wlan -s 10.14.2.0/255.255.255.0 -i eth1 -p tcp -m tcp --dport 995 -j ACCEPT 
-A input-wlan -m mark --mark 0x8 -j ACCEPT 
-A input-wlan -j LOG --log-prefix "INPUT-WLAN " 
-A input-wlan -j REJECT --reject-with icmp-port-unreachable 
COMMIT
# Completed on Wed Jun  9 00:44:05 2004
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux