Hello Adrian Thanks for your help. It is working with your advice to use the mangle OUTPUT table and the ascii grafik on http://netfilter.samba.org/documentation/HOWTO//netfilter-hacking-HOWTO.html#toc3.2 . My simplified ruleset is: /usr/sbin/ip rule add from $OFFICIAL_IP_of_2nd_Interface table NP /usr/sbin/ip route add default via $2_nd_Interface_Gateway dev $DEVICE_2_ROUTE_IS_AIMED table NP iptables -t mangle -A OUTPUT -p tcp --dport $PORTNUMBER -j MARK --set-mark 1 /usr/sbin/ip rule add fwmark 1 table NP /usr/sbin/ip route flush cache iptables -t nat -A POSTROUTING -o $DEVICE_2_ROUTE_IS_AIMED -p tcp --dport $PORTNUMBER -j SNAT --to $OFFICIAL_IP_of_2nd_Interface Greets Tobias On Fri, 19 Apr 2002 11:34:21 -0400 "Adrian Chung" <adrian@enfusion-group.com> wrote: > On Fri, Apr 19, 2002 at 03:18:01PM +0200, Tobias wrote: > [...] > > Unfortinuatly netfilter can only set MARKs in the moment the > > packets travers the INPUT Queue (of corresponding interface). > > > > --> > > netfilter is not able to set mark for _local_ created packets, > > because the INPUT Queue of netfilter is not passed. > > > > => In fact the MARK mechanism can only be used for incoming packets. > > Prior to 2.4.18, the 'mangle' table had PREROUTING (for incoming > packets prior to routing) and OUTPUT (for locally generated packets) > chains. After 2.4.18, there are INPUT, FORWARD, and POSTROUTING > chains as well. > > I'm using the OUTPUT chain of the 'mangle' table to set-tos values, > but I'm pretty sure I can --set-mark instead. I'm unable to test it > at the moment though. > > -- > Adrian Chung (adrian at enfusion-group dot com) > http://www.enfusion-group.com/~adrian > GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17 > [toad.enfusion-group.com] up 26 days, 21:07, 16 users > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
