On Tue, 2005-02-22 at 05:50, BERTRAND JoÃl wrote: > Hello, > > I'm trying to use ROUTE target with SNAT. For me, ROUTE works very > fine without --continue, but I need to add SNAT. Without SNAT, all > routed packets come from 192.168.0.130 and they have to come from > 192.168.1.1... > > Without --continue, they are good routed. To do SNAT, I have added > --continue and I obtain : > > Root kant:[/var/lib/iptables] > iptables -t mangle -n -v -L | grep ROUTE > 7 280 ROUTE tcp -- * * 192.168.0.130 > 0.0.0.0/0 tcp spts:3000:3001 ROUTE gw:192.168.1.254 > continue > > Root kant:[/var/lib/iptables] > iptables -t nat -n -v -L | grep LOG > 0 0 LOG tcp -- * * 192.168.0.130 > 0.0.0.0/0 tcp spts:3000:3001 LOG flags 0 level 4 prefix > `SNAT : ' > > Look at "0" on the nat table... And without --continue, I can see my > packets on eth2 (192.168.1.1). With continue, no one packet... Where > is the mistake ? probably somewhere other than the two rules you showed us. "-j ROUTE --continue" makes the ROUTE target a non-terminating match--so that packets will continue traversing rules *** in that chain ***. since your -j ROUTE rule is in -t mangle (somewhere), and the LOG rule is in -t nat POSTROUTING, the --continue won't have any effect on whether the packet traverses nat rules or not. again--you don't specify which chain of mangle your ROUTE rule is in, but if it's in POSTROUTING, even if it worked the way you are assuming, mangle POSTROUTING is *after* nat POSTROUTING. need more info--ideally: iptables -t mangle -vnxL && iptables -t nat -vnxL && iptables -vnxL -j -- "I'm better than dirt. Well, most kinds of dirt... not that fancy store-bought dirt... that stuff's loaded with nutrients, I... I can't compete with that stuff." --The Simpsons
