I checked the code, and discovered I was wrong. Shaping is done _after_ Netfilter, i.e. after POSTROUTING chain. I just tried this : RULE=3D192.168.10.1/32 I ping 192.168.10.1 and stats are growing, so it matches. Then, I'll DNAT in OUTPUT 192.168.10.1 to 192.168.10.12 iptables -t nat -A OUTPUT -d 192.168.10.1 -j DNAT --to 192.168.10.12 It does not match anymore =3D> DNAT is done _before_ shaping. No I flush iptables -t nat -F then set RULE=3D192.168.10.11/32, I ping 192.168.10.1, and counters are growing. It matches. Then I set SNAT : iptables -t nat -A POSTROUTING -d 192.168.10.1 -j SNAT --to 192.168.10.2 ip addr add 192.168.10.2 dev eth0 So I use 192.168.10.2 to emit py pings. And my class is no more reached =3D> SNAT is done _before_ shaping also... If I set : RULE=3D192.168.10.2/32, Class is reached again. So I was wrong... Sorry. To answer your message : Le jeu 03/10/2002 =E0 22:15, Aaron Clausen a =E9crit : > iptables -t nat -A PREROUTING -i eth0 -d 64.251.69.2 -j DNAT --to 10.10= 2.106.2 eth0 : RULE=3D64.251.69.2, eth1 : RULE=3D10.102.106.2 > iptables -t nat -A POSTROUTING -o eth0 -s 10.102.106.2 -j SNAT --to 64.= 251.69.2 eth0 : RULE=3D64.251.69.2, eth1 : RULE=3D10.102.106.2 [...] > iptables -t nat -A POSTROUTING -o eth0 -s 10.101.104.0/21 -j MASQUERADE eth0 : RULE=3D<eth0_IP>, eth1 : RULE=3D10.101.104.0/21 Hope this will help you at last, and sorry again for the mistake. Going to bed now, seems to be high time ;) --=20 C=E9dric Blancher <blancher@cartel-securite.fr> Consultant en s=E9curit=E9 des syst=E8mes et r=E9seaux - Cartel S=E9curi= t=E9 T=E9l: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
