[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1013
  • Last Modified:

iptables postrouting rule help

Hi, I need to get a postrouting rule to match source IP traffic.  How do I do that, particularly if the traffic is SNAT?

0
schnibitz
Asked:
schnibitz
  • 5
  • 4
1 Solution
 
underskyCommented:
this is impossible, read man iptables

into PostRouting no SNAT, it's like airport, after you send plane airborn, too late to fix gears ;)

PREROUTING


iptablesETH.png
0
 
underskyCommented:
or better image:

FULL tables
NAT, MANGLE, etc...

as you see, Postrouting is last rule, so no source here.
if you want rule with source, do it into prerouting :)
nfk-traversal.png
0
 
schnibitzAuthor Commented:
I was afraid of that.  Been doing marking for traffic control, however it seems to only be able to mark upload traffic.  Only way so far I can see to mark download traffic is in postrouting the destination, or all postrouting traffic.  That won't work for me though.  Any ideas?
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
underskyCommented:
ah found... this is DNAT work only in prerouting
SNAT work into nat postrouting


so for use SNAT:

type
iptables -t nat -A POSTROUTING (rule) -j SNAT --to-source ip:port

i miss that DNAT change distonation port SNAT change source port
so this is DNAT can't work into postrouting, and work into nat : prerouting and output
0
 
underskyCommented:
if you want MARK traffic you can use only mangle table.  mark live only into Iptable, from start filtering to out.. so if you want use DNAT and SNAT both, best use is mark it, and later, send to different rule.
0
 
schnibitzAuthor Commented:
Can you send me an example?

Here's what I'm using right now:

iptables -t nat -A POSTROUTING -j SNAT --to-source IP

ip="10.11.0.0/24"
iptables -t mangle -A PREROUTING -s $ip -j MARK --set-mark 10

I'm trying to shape openvpn traffic, so when I connect as a client, the above two rules together with the right traffic control rules are now shaping only my upload traffic only.  Just need to set a firewall marking rule that will limit downloads too.
0
 
schnibitzAuthor Commented:
edit:

iptables -t nat -A POSTROUTING -j SNAT --to-source <IP address>
0
 
schnibitzAuthor Commented:
Got it to work.  The following code assumes you already have OpenVPN already up and running.  I can't take total credit for this.  I pasted a URL after the code that got me going in this direction.  My problem is that I didn't make TC rules for the tun0 interface.  Once I defined those, POSTROUTING -d seemed to work just as I would expect.  VERY gratified ath this point.  Learned a lot about how all this works.  Hopefully this helps some other poor soul out there.

#!/bin/sh
# Limit eth0 download speed
DEV="eth0"
IP="10.100.0.0/24"
VDEV="tun0"
#Limit Download Speed
tc qdisc del dev $DEV root
tc qdisc del dev $VDEV root
iptables -t mangle -F
tc qdisc del dev $DEV root
tc qdisc add dev $DEV root handle 1: htb
tc class add dev $DEV parent 1:1 classid 1:10 htb rate 1mbit ceil 1mbit prio 4
tc filter add dev $DEV parent 1:0 prio 4 protocol ip handle 10 fw flowid 1:10
iptables -t mangle -A POSTROUTING -d $IP -j MARK --set-mark 10
# Limit br1 upload speed
tc qdisc del dev $VDEV root
tc qdisc add dev $VDEV root handle 1: htb
tc class add dev $VDEV parent 1:1 classid 1:10 htb rate 1mbit ceil 1mbit prio 4
tc filter add dev $VDEV parent 1:0 prio 4 protocol ip handle 10 fw flowid 1:10
iptables -t mangle -A PREROUTING -s $IP -j MARK --set-mark 10

Open in new window


http://www.dd-wrt.com/phpBB2/viewtopic.php?p=597446
0
 
schnibitzAuthor Commented:
After some searching I finally found the information I was looking for.  This should also help me resolve another open question.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now