Oh, my fault. :) I mislooked at the diagram :) Everything is fine, so, about nat + mangle tables. So, I think conntrack NAT happens after the mangle POSTROUTING chain. So, after routing. Thanks :) On 7/6/05, Jörg Harmuth <harmuth@xxxxxxxxx> wrote: > packet flow is: > > ... --> [mangle:POSTROUTING] --> [nat:POSTROUTING] > > So, all packets arrive in mangle:POSTROUTING with their source address > unchanged. DNAT - if configured - is already applied to the packet. > > If I'm telling old stories now, forget it, but you can modify this > script to fit your needs: > > http://iptables-tutorial.frozentux.net/scripts/rc.test-iptables.txt > > Following the log (and /proc/net/ip_conntrack) you see the packet flow > in detail. And you see when [S|D]NAT ist applied.
