Quote:
Originally Posted by nini09
iptables has a method called fwmark, which can be used to add a mark to packages, a mark that can survive routing across interfaces.
First, this makes packages marked with 6, to be processed by the 1:30 class
tc filter add dev eth0 protocol ip parent 1: prio 1 handle 6 fw flowid 1:30
This sets that mark 6, using iptables
iptables -A PREROUTING -t mangle -s 192.168.0.1 -j MARK --set-mark 6
|
I'm sorry for a silly question :-) but -
here is my current iptables-script:
*filter
-A FORWARD -s 192.168.0.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
-A PREROUTING -d real_IP/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.50:3389
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
COMMIT
So there is only one workstation behind my NAT (test network), 3389 - is a port for Remote Control. So I'm trying to add your example:
*filter
-A FORWARD -s 192.168.0.0/24 -i eth0 -o eth1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
-A PREROUTING -t mangle -s 192.168.0.50 -j MARK --set-mark 6
-A PREROUTING -d real_IP/32 -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.50:3389
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
COMMIT
But this scheme is not working. 192.168.0.50 is my workstation IP-address.