Routing is done to locally-generated packets after OUTPUT. See http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.htmlOn July 1, 2003 12:24 pm, Michael wrote:Alistair Tonner wrote:Why are you DNATting in OUTPUT?Because the packets are originating on the firewall, from Squid. Squid thinks xxx.org is at 1.2.3.5, so DNAT is needed to change that to 192.168.0.8. I also have identical rules in the PREROUTING chain of the nat table, if you were wondering. Those rules work for requests from the Internet.Okay .. .after reading up some on 1.2.8 ... that *should* work. BUT .. to me it seems evil ... I'm forever bound by the concept that mangling the destination (or source for that matter) should be done before or after the basic network routing has been done.
If I remove the nat table's OUTPUT chain rules, I get a "connection refused", because there is no Web server running on 1.2.3.5 port 80. Locally-generated packets do not go through PREROUTING. They don't go "out of the firewall" unless they get routed there, and if that happens, they aren't coming back unless another machine returns them.it seems unessesary to me for this reason: squid calls to the resolved ip (your outside ip) ...which should route out of the firewall, and back to its outside IP .. then the PREROUTING rules should catch these packets and reroute them correctly, then the RETURN path would make sense. It seems to me that DNATTING directly in output to force the packets out to the inside IP shortcuts things, and then breaks the return path.
I'll post to LARTC.
