On Tue, Feb 22, 2005 at 09:24:05AM -0500, Jason Opperisano wrote: > On Tue, 2005-02-22 at 05:50, BERTRAND Joël wrote: > > Hello, > > > > I'm trying to use ROUTE target with SNAT. For me, ROUTE works very > > fine without --continue, but I need to add SNAT. Without SNAT, all > > routed packets come from 192.168.0.130 and they have to come from > > 192.168.1.1... > > > > Without --continue, they are good routed. To do SNAT, I have added > > --continue and I obtain : > > > > Root kant:[/var/lib/iptables] > iptables -t mangle -n -v -L | grep ROUTE > > 7 280 ROUTE tcp -- * * 192.168.0.130 > > 0.0.0.0/0 tcp spts:3000:3001 ROUTE gw:192.168.1.254 > > continue > > > > Root kant:[/var/lib/iptables] > iptables -t nat -n -v -L | grep LOG > > 0 0 LOG tcp -- * * 192.168.0.130 > > 0.0.0.0/0 tcp spts:3000:3001 LOG flags 0 level 4 prefix > > `SNAT : ' > > > > Look at "0" on the nat table... And without --continue, I can see my > > packets on eth2 (192.168.1.1). With continue, no one packet... Where > > is the mistake ? > > probably somewhere other than the two rules you showed us. "-j ROUTE > --continue" makes the ROUTE target a non-terminating match--so that > packets will continue traversing rules *** in that chain ***. > > since your -j ROUTE rule is in -t mangle (somewhere), and the LOG rule > is in -t nat POSTROUTING, the --continue won't have any effect on > whether the packet traverses nat rules or not. > > again--you don't specify which chain of mangle your ROUTE rule is in, > but if it's in POSTROUTING, even if it worked the way you are assuming, > mangle POSTROUTING is *after* nat POSTROUTING. > > need more info--ideally: > > iptables -t mangle -vnxL && iptables -t nat -vnxL && iptables -vnxL I have found the solution : ROUTE with --continue have to be in mangle/POSTROUTING chain. Regards, JKB
