Hello Paul, On Wed, 2003-08-20 at 20:55, paul.walling@xxxxxxxxxxxx wrote: <snip> > So I read the IpTables Tutorial and find it contradicts itself >=20 > Section 3.1 table 3.2: suggests that the routing decision is made=20 > prior to the mangle happening. This appears to be what I can see happenin= g. > Hence we can never find a route in our table and this would result in > Network Unreachable. >=20 > Section 6.2 table 6.1 suggests that the mangle of OUTPUT happens=20 > prior to the routing decision. I don't think this is true because otherwi= se > the Mark would be set to 1 and the frame would have been routed correctly > to 172.21.1.11. Also the theory is backed up by the fact that the ping on > eth2 was routed out eth2 but with an incorrect source address. The source= =20 > address being added as a result of the routing decision. This is an issue which I have been trying to resolve for some time ... you are correct that the routing decision is made prior to a packet traversing OUTPUT, therefore your attempt to mark and route on locally generated packets will not work. two solutions exist: (1) on the netfilter sight, you'll find a patch from C=E9dric de Launois which allows you to select the interface: iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --iface eth1 (2) you can mark in OUTPUT and then fiddle in the POSTROUTING chain: iptables --append OUTPUT --table mangle --jump MARK --set-mark 0x2 iptables --append POSTROUTING --table nat --match mark --mark 0x2 \ --jump SNAT --to-source 192.168.1.100 I have been dreaming of a new netfilter target called rt_lookup that would force a route lookup using the all the packet characteristics as it traverses the NAT table of the POSTROUTING chain -- regrettably, I have not had the time to investigate whether it is even possible! Ciao Charles > Now I am very much a newcomer to routing so have probably misunderstood t= he=20 > entire principles. Could someone confirm if what I am trying to do is=20 > correct or if I have completely gone mad and missed the point.=20 > (which wouldn't be the first time !) >=20 > Many thanks in advance >=20 > Paul. >=20 >=20 > ----------------------------------------- > Email provided by http://www.ntlhome.com/ >=20 >=20 > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
