Hi, Thomas Themel (themel@xxxxxxxxxx) wrote on 2003-11-01: > # SNAT for outgoing packets > iptables -A POSTROUTING -t nat -o $PPP_IFACE --match mark --mark 0x03 -j SNAT --to-source $PPP_LOCAL I've been able to do away with the DNAT rule now. > # DNAT for incoming packets > iptables -t nat -A PREROUTING -i $PPP_IFACE -d $PPP_LOCAL -j DNAT --to-destination 192.168.1.1 I couldn't get it to work with just the SNAT rule originally (see original post, the SACKs would be ignored), but I've finally figured out why: I had enabled rp_filter on that machine. Quite obviously, enabling rp_filter in combination with policy routing is a bad idea. echo 0 > /proc/sys/net/ipv4/conf/$PPP_IFACE/rp_filter fixed it for me. I still think I shouldn't need the netfilter SNAT rule, but even enabling NAT with the routing rule (ip rule add fwmark 3 table aonc nat $PPP_REMOTE) doesn't seem to set the source address of the outgoing packets correctly. ciao, -- [*Thomas Themel*] "If we're not supposed to eat animals, how come [extended contact] they're made of meat?" [info provided in] - Treat Carnivores Ethically, [*message header*] in the fuckedcompany.com forums
Attachment:
pgp00197.pgp
Description: PGP signature