First of all, thanks for the help. The ROUTE target does come in handy, I've combined it with the match "conntrack" because that makes the info I need availlable: "-m conntrack --ctorigdst" gives me the original destination of the connection the return packets are part of. However (you saw that coming, didn't you ;), for some strange reason the following rules result in the out-going packets not being UnDNATted again?! iptables -t mangle -D POSTROUTING -s INTNET/INTMASK -m conntrack --ctorigdst EXTIP1 --ctstate ESTABLISHED,RELATED -j ROUTE --gw EXTGW1 --oif EXTDEV1 iptables -t mangle -D POSTROUTING -s INTNET/INTMASK -m conntrack --ctorigdst EXTIP2 --ctstate ESTABLISHED,RELATED -j ROUTE --gw EXTGW2 --oif EXTDEV2 These go out with the Internal (private) address... oops! I will try the trick with fw-mark and using iproute2 to do the actual routing next. One other observation: if one enables "Multipath routing" in the kernel config, one is _required_ to set a multipath route or your second line is unusable. (try setting a default route on line1, and just the normal local routes on all other interfaces, now do "ip route get <internal address> from <external address> iif <extdevline2>" where external address is some host on the internet. Very unfunny. Gaby Schilders IBFD network admin
