I'm trying to setup a linux kernel box that is on an ip-ip vpn tunnel, and want to DNAT all traffic (except the tunnel payload packets) for the "real" ip of the other tunnel endpoint to go to its in-tunnel endpoint (so they are properly encrypted). The machine in question has a default route going to the tunnel device (tun0), and a host specific route going out a different device (wlan0) so the tunnel datagrams can get to the tunnel server. After setting up the output DNAT, it is correctly rewriting the packets to go to the in tunnel address. However, after the rewrite, the kernel is disregarding the routing that says that packets to the in-tunnel address should go to the tun0 device, and instead is trying to send them out the original device the packets would have gone out if they had not been dnat'ed (wlan0). According to the documentation for iptables, it appears that the OUTPUT chain on the nat table should happen before the routing decision is made, but that appears to not be the case. Is this a bug, or are the docs wrong? And if the docs are wrong, what is the correct way to accomplish this? I am using a stock linux kernel 2.4.20, with iptables 1.2.8. Please CC me, as I am not on the mailing list. Evan
