Hi curry, I think i have not mad my situation where clear. So I try it again. I don't have a router. The host itself hosted a squid proxy and the traffic that should be redirected over the dsl line (dsl router at eth0) is from the host itself. All other traffic (smtp, dns) should flow through the default route at eth1. What I see when I log the OUTPUT chain is that the source address of the http packets is the ip address of the eth1 interface. I think this is because it is the default route. So I use the nat chain to change this address to the ip address of the eth0 interface. When I sniff the eth0 interface I see that this work. Packets are sending through eth0 to the internet. The answers from the webserver also flow through the dsl line to my box. When I log the PREROUTING chain I also find these packages with the ip address of eth0. At this point I would say everything is o.k. The problem is that the packet doesn't reach the browser. I don't see it in the INPUT chain. ---Carsten -----Ursprüngliche Nachricht----- Von: curby . [mailto:curby.public@xxxxxxxxx] Gesendet: Mittwoch, 7. September 2005 18:40 An: Carsten Rachfahl Cc: netfilter@xxxxxxxxxxxxxxxxxxx Betreff: Re: INPUT chain doesen´t receive packets On 9/7/05, Carsten Rachfahl <cr@xxxxxxx> wrote: > I have problems with iptables and iproute2. In my scenario I want to use a host with a dsl connection on eth0 and a lan connection eth1 for policy based routing. I want to route http traffic generated by the host itself over eth0 and the rest over eth1. To solve the problem I Hopefully your situation is simple enough that you don't need to do special routing. Can you try to restate what you want to happen to web traffic going through your firewall? Does the LAN have access to the Internet besides the DSL connection? If not, it might be as simple as using NAT, and leaving iproute2/ip alone. Assuming the firewall machine is routing for the LAN, and its DSL connection on eth0 is the only way to the Internet, it sounds like you want to use SNAT/masquerading to let LAN clients out onto the web, and stateful rules to let replies back in. If you have your own web server on the LAN and not on the same machine as the firewall, you'll want to look for packets in the FORWARD chain, not the INPUT chain. You might also want to use DNAT to allow the Internet to access the internal server, and stateful rules to let replies back out. I wasn't able to glean what your goals and network configuration is though, so these suggstions may be way off. --Curby
