Iptables – set mark on iptables based on interface

iptablesnat;

I have an Ubuntu 10.04 machine with two ethernet interfaces: eth0 (WAN) eth1 (LAN)

I've configured NAT using these commands:

sudo iptables -A FORWARD -o eth0 -i eth1 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE

Now I'd like to add a packet mark to packets sourced from eth1 so that I can traffic-shape based on the mark. What iptables commands do I need to do this?

It seems like I need something along the lines of

   sudo iptables -A FORWARD -i eth1 -t mangle -j MARK --set-mark 3

But I'm not sure. I want to make sure this mark persists past the nat so that I can inspect packets going out on eth0 with tc to do traffic shaping.

Best Answer

sudo iptables -A PREROUTING -i eth1 -t mangle -j MARK --set-mark 3

you want to have the packets marked before they go into the router so you can use PREROUTING. see as well http://lartc.org/howto/lartc.netfilter.html

Best Answer

Related Solutions

Linux – Forward HTTP Traffic to Another IP Address with iptables

Debian – Multiple interfaces: route packets to specific interface

Related Topic