LARTC - Mar 2001 - mangle table can't mark incoming packets if using SNAT

Hi,

I have the following situation here with Linux 2.4.2, iptables 1.2.1a+tc.
The box has 2 ethernet interfaces:

eth0 is connected to an adsl link with real ip address (213.174.10.162)
eth1 is connected to the lan with internal addresses (192.168.20.1)

Users behind the eth1 are connected with addresses 192.168.20.0/24 that are
all masqueraded (with SNAT) to the address of eth0.

I am trying to traffic control all incoming and outgoing packets with tc
cbq.
If a user in the eth1 lan is using a real IP address which is not
masqueraded I have no problem to mark packets with the mangle table.
If a user in the eth1 lan is using the fake address then I can control the
outgoing packets and they are correctly marked, but all the incoming packets
are not passing the mangle table PREROUTING and not being marked at all. So
I cannot control the incoming traffic.

Here is a sample of the configuration:

${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -d ! ${INTRANET_REMOTE} -o
${INET_IFACE} -j SNAT --to 213.174.10.162
# MARK DOWNLOAD packets from different IP addresses
echo -n "MARK DOWNLOAD packets"
${IPTABLES} -t mangle -A PREROUTING -d 213.174.10.169/32 -j MARK --set-mark
10169
${IPTABLES} -t mangle -A PREROUTING -s 213.174.10.169/32 -j MARK --set-mark
10169
${IPTABLES} -t mangle -A PREROUTING -d 213.174.10.170/32 -j MARK --set-mark
10170
${IPTABLES} -t mangle -A PREROUTING -s 213.174.10.170/32 -j MARK --set-mark
10170
${IPTABLES} -t mangle -A PREROUTING -d 192.168.20.201/32 -j MARK --set-mark
20201
${IPTABLES} -t mangle -A PREROUTING -s 192.168.20.201/32 -j MARK --set-mark
20201
${IPTABLES} -t mangle -A PREROUTING -d 192.168.20.203/32 -j MARK --set-mark
20203
${IPTABLES} -t mangle -A PREROUTING -s 192.168.20.203/32 -j MARK --set-mark
20203

# iptables -L -t mangle -v -n
Chain PREROUTING (policy ACCEPT 74910 packets, 19572002 bytes)
 pkts bytes target     prot opt in     out     source
destination
10811 3390K MARK       all  --  *      *       0.0.0.0/0
213.174.10.169     MARK set 0x27b9
10225 1255K MARK       all  --  *      *       213.174.10.169
0.0.0.0/0          MARK set 0x27b9
19549 6873K MARK       all  --  *      *       0.0.0.0/0
213.174.10.170     MARK set 0x27ba
16096 1949K MARK       all  --  *      *       213.174.10.170
0.0.0.0/0          MARK set 0x27ba
    0     0 MARK       all  --  *      *       0.0.0.0/0
192.168.20.201     MARK set 0x4ee9
  453 35261 MARK       all  --  *      *       192.168.20.201
0.0.0.0/0          MARK set 0x4ee9
    0     0 MARK       all  --  *      *       0.0.0.0/0
192.168.20.203     MARK set 0x4eeb
 3836  550K MARK       all  --  *      *       192.168.20.203
0.0.0.0/0          MARK set 0x4eeb

As you can see those marks with destination to 192.168.20.xxx do not show
any packets, so the users are getting uncontrolled traffic.

If anyone has that problem, please let me know.

Thank you,
Kalin Bogatzevski.