iptables mangle and NAT notes, etc.


PREROUTING in mangle table: alter routing (e.g. source-based routing)
FORWARD in mangle table: traffic shaping for tc (flowid)

In MikroTik RouterOS, /ip firewall nat:
srcnat chain = PREROUTING
dstnat chain = POSTROUTING

/ip firewall mangle:
prerouting chain = global-in
forward chain = global-out (support NAT traffic shaping, higher load on router)

Update: I used to think that global-in literally means global input, while global-out literally means global output.  Apparently I was mistaken.  The parent queues MUST be matched to the right parent, either global-in, global-out, global-total, or one of the network interfaces depending on the mangle rules.  Top-most queue parent (global-in, global-out, global-total) doesn’t decide whether it’s up/down.  The mangle rules do the direction decision trick, whether a packet is incoming/download or outgoing/upload.  This makes perfect sense now! (doh)  I kept wondering why half of my queues (download queues’ top-most parent was global-in) weren’t working, when all my mangle rules were in forward chain.  Obviously they wouldn’t, because global-in marks both direction in prerouting chain.

Update 2: mangle: download rules first then upload rules. global-in, connection mark: prerouting; packet mark: prerouting. global-out, connection mark: forward, packet mark: postrouting.


This didn’t make sense until I read the URL listed below under References.  Silly me!  Assumption is the root of most, if not all, problems indeed.


One thought on “iptables mangle and NAT notes, etc.

  1. Oh, I forgot to mention when there are multiple upstream interfaces (different directions, e.g. IXP to/from client and transit to/from client), use the forward chain for the connection marking mangle rules and prerouting chain for the packet marking mangle rules. Since the packet marking mangle rules are in prerouting chain, global-in queue parent can be used. Can still use global-in with prerouting chain packet marking mangle rules if there is a dst-address-list to classify the different flows, because this method doesn’t require any explicit in/out-interface settings.

Leave a Reply

Your email address will not be published. Required fields are marked *

Anti-Spam by WP-SpamShield