Hi all, I have a network like this : Provider 1 Provider 2 \ / \ / \ / eth1 \ / eth2 ------------- | | | | | | | | | | | eth0 | ------------- | | | | 2 networks : - 192.168.2.0/24 - 192.168.3.0/24 The networks 192.168.3.0 is routed to provider 1 and 192.168.2.0 is routed to provider 2 (all are behind a masquerade) On 192.168.2.0 I have an SMTP server (192.168.2.2). I want that all traffic to other SMTP use the Provider 1 line. Has explained in the "Linux Advanced Routing & Traffic Control HOWTO", I mark packet from this server and I route this marked packet to provider 1. But it doesn't work. After investigation, I believe it's a NAT problem (But I'm not sure). I use ethereal to watch packet on eth1 when I try an SMTP connection from 192.168.2.2. The packets are routed correctly, but it seems those packets are not masqueraded. I explain: I see the TCP SYN packet from IP_of_eth1 to A_Server_Mail. I received a TCP SYN, ACK from A_Server_Mail to IP_of_eth1. But after, nothing append... The destination address is never changed... Can anyone help me? (PS: I try to disable rp_filter has describe in "Linux Advanced Routing & Traffic Control HOWTO" but it change nothing) I also need to forward all incoming traffic for port 80 and 25 to this server... All I try (see below) don't work : iptables -A FORWARD -d 192.168.2.2 -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT iptables -A FORWARD -d 192.168.2.2 -i eth2 -p tcp -m tcp --dport 80 -j ACCEPT iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.2:80 iptables -A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.2:80 Thanks Here are my firewall's rules: # Generated by iptables-save v1.2.6a on Wed Sep 29 12:20:34 2004 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [20:1680] -A INPUT -i lo -j ACCEPT -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP -A INPUT -d 255.255.255.255 -i eth1 -j ACCEPT -A INPUT -d 255.255.255.255 -i eth0 -j ACCEPT -A INPUT -d 255.255.255.255 -i eth2 -j ACCEPT -A INPUT -s 192.168.3.0/255.255.255.0 -i eth0 -j ACCEPT -A INPUT -s 192.168.2.0/255.255.255.0 -i eth0 -j ACCEPT -A INPUT -d ip_from_provider1 -i eth1 -j ACCEPT -A INPUT -d broadcast_provider1 -i eth1 -j ACCEPT -A INPUT -d ip_from_provider2 -i eth2 -j ACCEPT -A INPUT -d broadcast_provider1 -i eth2 -j ACCEPT -A INPUT -d 240.0.0.0/240.0.0.0 -i eth0 -p ! tcp -j ACCEPT -A INPUT -s 192.168.3.0/255.255.255.0 -i eth1 -j LOG -A INPUT -s 192.168.3.0/255.255.255.0 -i eth1 -j DROP -A INPUT -s 192.168.3.0/255.255.255.0 -i eth2 -j LOG -A INPUT -s 192.168.3.0/255.255.255.0 -i eth2 -j DROP -A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -j LOG -A INPUT -s 192.168.2.0/255.255.255.0 -i eth1 -j DROP -A INPUT -s 192.168.2.0/255.255.255.0 -i eth2 -j LOG -A INPUT -s 192.168.2.0/255.255.255.0 -i eth2 -j DROP -A FORWARD -s 192.168.3.0/255.255.255.0 -d 192.168.2.0/255.255.255.0 -j ACCEPT -A FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.3.0/255.255.255.0 -j ACCEPT -A FORWARD -s 192.168.3.0/255.255.255.0 -i eth0 -o eth1 -j ACCEPT -A FORWARD -s 192.168.3.0/255.255.255.0 -i eth0 -o eth2 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.2.0/255.255.255.0 -i eth0 -o eth1 -j ACCEPT -A FORWARD -s 192.168.2.0/255.255.255.0 -i eth0 -o eth2 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 192.168.3.0/255.255.255.0 -o eth1 -j LOG -A FORWARD -d 192.168.3.0/255.255.255.0 -o eth1 -j DROP -A FORWARD -d 192.168.3.0/255.255.255.0 -o eth2 -j LOG -A FORWARD -d 192.168.3.0/255.255.255.0 -o eth2 -j DROP -A FORWARD -d 192.168.2.0/255.255.255.0 -o eth1 -j LOG -A FORWARD -d 192.168.2.0/255.255.255.0 -o eth1 -j DROP -A FORWARD -d 192.168.2.0/255.255.255.0 -o eth2 -j LOG -A FORWARD -d 192.168.2.0/255.255.255.0 -o eth2 -j DROP -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -d 255.255.255.255 -o eth0 -j ACCEPT -A OUTPUT -d 255.255.255.255 -o eth1 -j ACCEPT -A OUTPUT -d 255.255.255.255 -o eth2 -j ACCEPT -A OUTPUT -d 192.168.3.0/255.255.255.0 -o eth0 -j ACCEPT -A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth0 -j ACCEPT -A OUTPUT -d 224.0.0.0/240.0.0.0 -o eth0 -p ! tcp -j ACCEPT -A OUTPUT -d 192.168.3.0/255.255.255.0 -o eth1 -j LOG -A OUTPUT -d 192.168.3.0/255.255.255.0 -o eth1 -j DROP -A OUTPUT -d 192.168.3.0/255.255.255.0 -o eth2 -j LOG -A OUTPUT -d 192.168.3.0/255.255.255.0 -o eth2 -j DROP -A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth1 -j LOG -A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth1 -j DROP -A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth2 -j LOG -A OUTPUT -d 192.168.2.0/255.255.255.0 -o eth2 -j DROP -A OUTPUT -s ip_from_provider1 -o eth1 -j ACCEPT -A OUTPUT -s broadcast_provider1 -o eth1 -j ACCEPT -A OUTPUT -s ip_from_provider2 -o eth2 -j ACCEPT -A OUTPUT -s broadcast_provider2 -o eth2 -j ACCEPT COMMIT # Completed on Wed Sep 29 12:20:34 2004 # Generated by iptables-save v1.2.6a on Wed Sep 29 12:20:34 2004 *mangle :PREROUTING ACCEPT [2423:332444] :INPUT ACCEPT [2258:293682] :FORWARD ACCEPT [159:38506] :OUTPUT ACCEPT [2513:829818] :POSTROUTING ACCEPT [2672:868324] -A PREROUTING -s 192.168.2.2 -i eth0 -p tcp -m tcp --dport 25 -j MARK --set-mark 0x1 COMMIT # Completed on Wed Sep 29 12:20:34 2004 # Generated by iptables-save v1.2.6a on Wed Sep 29 12:20:34 2004 *nat :PREROUTING ACCEPT [93:5089] :POSTROUTING ACCEPT [29:2408] :OUTPUT ACCEPT [83:6766] -A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE -A POSTROUTING -s 192.168.2.0/255.255.255.0 -j MASQUERADE COMMIT # Completed on Wed Sep 29 12:20:34 2004 Here are my routing table: Ip rule ls : 0: from all lookup local 32763: from all fwmark 1 lookup T1 32764: from 192.168.2.0/24 lookup T2 32765: from 192.168.3.0/24 lookup T1 32766: from all lookup main 32767: from all lookup default ip route ls table T1: 192.168.3.0/24 dev eth0 proto kernel scope link 192.168.2.0/24 dev eth0 proto kernel scope link default via 82.226.97.1 dev eth1 ip route ls table T2: 192.168.3.0/24 dev eth0 proto kernel scope link 192.168.2.0/24 dev eth0 proto kernel scope link default via 192.168.1.1 dev eth2 _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/