If you want to use the source address to classify packets, you can mark the packets when they enter your linux box. When they enter the linux box, the src address is sill the real one. The mark can be written with iptables and it only exists in your linux box. That mark can be used after the src address is rewritten to classify the packets.

Example setup :

LAN                eth0 |-------| eth1
10.0.0.0/24      -------|       |-----     internet
             10.0.0.254 |-------| 1.2.3.4

The clients have 10.0.0.254 as default gateway. The router is natting the LAN ip-addresses so all packets leaving eth1 have 1.2.3.4 as source address. What you can do is marking the packets when they enter the firewall on NIC eth0 so the source address is still the one of the LAN clients. That mark can be used on eth1 to classify the packets with the fw filter.

Example if you have 2 ip's and want to create a class for each ip :

# Basic firewall setup :
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Marking the packets :
iptables -A PREROUTING -i eth0 -s 10.0.0.1 -t mangle -j MARK --set-mark 1
iptables -A PREROUTING -i eth0 -s 10.0.0.2 -t mangle -j MARK --set-mark 2
# Using fw filter to classify the packets :
tc filter add dev eth1 parent 1: protocol ip prio 1 handle 1 fw classid 1:1
tc filter add dev eth1 parent 1: protocol ip prio 1 handle 2 fw classid 1:2