• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1060
  • Last Modified:

iptables postrouting rule help

Hi, I need to get a postrouting rule to match source IP traffic.  How do I do that, particularly if the traffic is SNAT?

0
schnibitz
Asked:
schnibitz
  • 5
  • 4
1 Solution
 
underskyCommented:
this is impossible, read man iptables

into PostRouting no SNAT, it's like airport, after you send plane airborn, too late to fix gears ;)

PREROUTING


iptablesETH.png
0
 
underskyCommented:
or better image:

FULL tables
NAT, MANGLE, etc...

as you see, Postrouting is last rule, so no source here.
if you want rule with source, do it into prerouting :)
nfk-traversal.png
0
 
schnibitzAuthor Commented:
I was afraid of that.  Been doing marking for traffic control, however it seems to only be able to mark upload traffic.  Only way so far I can see to mark download traffic is in postrouting the destination, or all postrouting traffic.  That won't work for me though.  Any ideas?
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

 
underskyCommented:
ah found... this is DNAT work only in prerouting
SNAT work into nat postrouting


so for use SNAT:

type
iptables -t nat -A POSTROUTING (rule) -j SNAT --to-source ip:port

i miss that DNAT change distonation port SNAT change source port
so this is DNAT can't work into postrouting, and work into nat : prerouting and output
0
 
underskyCommented:
if you want MARK traffic you can use only mangle table.  mark live only into Iptable, from start filtering to out.. so if you want use DNAT and SNAT both, best use is mark it, and later, send to different rule.
0
 
schnibitzAuthor Commented:
Can you send me an example?

Here's what I'm using right now:

iptables -t nat -A POSTROUTING -j SNAT --to-source IP

ip="10.11.0.0/24"
iptables -t mangle -A PREROUTING -s $ip -j MARK --set-mark 10

I'm trying to shape openvpn traffic, so when I connect as a client, the above two rules together with the right traffic control rules are now shaping only my upload traffic only.  Just need to set a firewall marking rule that will limit downloads too.
0
 
schnibitzAuthor Commented:
edit:

iptables -t nat -A POSTROUTING -j SNAT --to-source <IP address>
0
 
schnibitzAuthor Commented:
Got it to work.  The following code assumes you already have OpenVPN already up and running.  I can't take total credit for this.  I pasted a URL after the code that got me going in this direction.  My problem is that I didn't make TC rules for the tun0 interface.  Once I defined those, POSTROUTING -d seemed to work just as I would expect.  VERY gratified ath this point.  Learned a lot about how all this works.  Hopefully this helps some other poor soul out there.

#!/bin/sh
# Limit eth0 download speed
DEV="eth0"
IP="10.100.0.0/24"
VDEV="tun0"
#Limit Download Speed
tc qdisc del dev $DEV root
tc qdisc del dev $VDEV root
iptables -t mangle -F
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: htb
tc class add dev $DEV parent 1:1 classid 1:10 htb rate 1mbit ceil 1mbit prio 4
tc filter add dev $DEV parent 1:0 prio 4 protocol ip handle 10 fw flowid 1:10
iptables -t mangle -A POSTROUTING -d $IP -j MARK --set-mark 10
# Limit br1 upload speed
tc qdisc del dev $VDEV root
tc qdisc add dev $VDEV root handle 1: htb
tc class add dev $VDEV parent 1:1 classid 1:10 htb rate 1mbit ceil 1mbit prio 4
tc filter add dev $VDEV parent 1:0 prio 4 protocol ip handle 10 fw flowid 1:10
iptables -t mangle -A PREROUTING -s $IP -j MARK --set-mark 10

Open in new window


http://www.dd-wrt.com/phpBB2/viewtopic.php?p=597446
0
 
schnibitzAuthor Commented:
After some searching I finally found the information I was looking for.  This should also help me resolve another open question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now