Is there an extension target that can be used in the PREROUTING chain of nat and/or mangle to alter the incoming source ip address? Say something in the form of... iptables -t nat -A PREROUTING -i eth1 -m mac --mac-source xx.xx.xx.xx.xx.xx -j SRC_MANGLE --from_src 192.168.50.17/32 The situation is this: a SNMP device accepts SNMP requests on two separate ip addresses. One ip is fixed and private, the other is dynamic/unknown. This device is on the outside of a private network being SNAT'ed. The problem is that even though it receives SNMP requests on the private ip address it replies with the other dynamic/unknown ip address as the source. This means that ip_conntrack_core doesn't recognize the reply packet as belonging to the previous outgoing request. Matching the reply packet is easy with the mac address which is fixed. But I can't seem to get past that. Marking and using iproute2 won't work since only ip_conntrack* knows the reply path. Mapping both request and reply packets onto the same network (say 10.x.x.x) won't work because the two SNMP addresses aren't simple reflections/derivatives of each other (e.g., 192.168.50.17 and xx.xx.72.116). Perhaps I'm missing something that already exists in the stock netfilter? Thanks in advance, Peter Hurley phurley@imaginexd.com
