On Monday 25 November 2002 05:24 am, COUSIN Marc wrote: > Hi, > I'm having trouve using mangling on NATed packets: > # For the NAT > iptables -t nat -A PREROUTING -p tcp --destination-port 8081:8090 -j DN= AT > --to-destination 89.131.0.7:8080 > iptables -t nat -A POSTROUTING -p tcp --destination 89.131.0.7 -j SNAT > --to-source 89.131.0.58 > # For the marks > iptables -A PREROUTING -t mangle -p tcp --destination-port 8081 -j MARK > --set-mark 10 > iptables -A POSTROUTING -t mangle -p tcp --source-port 8081 -j MARK > --set-mark 11 # Trying to match the return NATed packet > > > The --set-mark 10 works (no surprise, very simple rule in fact) > the --set-mark 11 doesn't match. It may be normal, as I'm trying to mat= ch a > return packet on a NAT connexion. How am I supposed to match the return > packet in such a situation ? Try putting it in PREROUTING instead of POSTROUTING. PREROUTING is for=20 packets as they enter the firewall, regardless of the direction they are=20 travelling. POSTROUTING is just before it leaves the firewall. =20 j
