Hi moises, thank you for your advises. I think there are some more things to explain. First there is a DSL Router with ip address 192.168.0.1 connected to an dsl modem not the linux box direct. This dsl router does nat and firewalling. > - how are you using this marks 0x9 that tell us which http packets are going out and in??? I mark the packets to user iproute2 for routing them over a separate routing table called overdsl. This table looks like this: 0: from all lookup local 32765: from all fwmark 9 lookup overdsl 32766: from all lookup main 32767: from all lookup default 80.156.24.64/26 via 80.156.24.98 dev eth1 192.168.0.0/24 via 192.168.0.2 dev eth0 127.0.0.0/8 dev lo scope link default via 192.168.0.1 dev eth0 This works. I also try the following rule for routing: $iptables -A OUTPUT -t mangle -p tcp --dport http -j ROUTE --gw=192.168.0.1 --continue It also routes the packets over interface eth0 to gateway 192.168.0.1 but use the source address 80.156.24.98 so the router Send an icmp massage back to the host. With the SNAT rule it works but I have the same problem. Response packets doesn't Receive the sending process. >Finally if you say you see the packets coming back in PREROUTING chain, and then you dont see them in the INPUT chain, i would like to see the logs of the incoming packets in the PREROUTING >chain so may be someone can figureout whats happening. Below this you see the kernel logs with the PREROUTING matches: Sep 6 16:17:08 ns3 kernel: PREROUTING IN=eth0 OUT= MAC=00:a0:c9:de:c5:3b:00:0f:3d:2b:50:ad:08:00 SRC=66.135.192.56 DST=192.168.0.2 LEN=64 TOS=0x00 PREC=0x00 TTL=121 ID=10882 DF PROTO=TCP SPT=80 DPT=32780 WINDOW=65535 RES=0x00 ACK SYN URGP=0 Sep 6 16:17:14 ns3 kernel: PREROUTING IN=eth0 OUT= MAC=00:a0:c9:de:c5:3b:00:0f:3d:2b:50:ad:08:00 SRC=66.135.192.56 DST=192.168.0.2 LEN=64 TOS=0x00 PREC=0x00 TTL=121 ID=21148 DF PROTO=TCP SPT=80 DPT=32780 WINDOW=65535 RES=0x00 ACK SYN URGP=0 When I log the INPUT chain I don't see any of these packets. Maybe the problem is that the kernel generate packages With the address 80.156.0.98 and he waits for packets to the same address. So I also try to DNAT the packets but it also works. --- Carsten ________________________________ Von: Moises Silva [mailto:moises.silva@xxxxxxxxx] Gesendet: Donnerstag, 8. September 2005 17:09 An: Carsten Rachfahl Betreff: Re: INPUT chain doesen´t receive packets Hi Carsten. "I want to route http traffic generated by the host itself over eth0 and the rest over eth1" Sorry, i did not see that, that why i suggested you to use FORWARD table. Lets analyze your rules, if this bother you, just ignore me :). I only see 3 rules in your last post: The first one: # iptables -A OUTPUT -t mangle -p tcp --dport http -j MARK --set-mark 0x9 this just mark all the packets with http destiny, so does nothing usefull by itself. The secondth rule: # iptables -A POSTROUTING -t nat -s 80.156.24.98 -p tcp --dport http -j SNAT --to 192.168.0.2 so here you are just doing SNAT over all the http packets coming from 80 blah... Last rule: # iptables -A PREROUTING -t mangle -i eth0 -d 192.168.0.2 -p tcp --sport http -j MARK --set-mark 0x9 finally you are marking all the incoming http packets to the box itself ( assuming .0.2 is the eth0 address of the box ), again nothing usefull by itself. The first and last rule just mark outgoing and incoming http packets. I have my doubts with the goal of the secondth rule. Now, i would like you to explain me 2 things ( explaining often open your mind, and make you see things otherwise you cannot ) - how are you using this marks 0x9 that tell us which http packets are going out and in??? - SNAT will change the source IP address of the http packets from 80.156.24.98 to 192.168.0.2, and viceversa when coming back, but why using a local IP to send packets over ADSL connection? Finally if you say you see the packets coming back in PREROUTING chain, and then you dont see them in the INPUT chain, i would like to see the logs of the incoming packets in the PREROUTING chain so may be someone can figureout whats happening. Regards. On 9/8/05, Carsten Rachfahl <cr@xxxxxxx> wrote: Hi moises, that would be right when the packet flow through the router. But the packets are generated on the host local browser / Squid proxy. -- carsten ________________________________ Von: Moises Silva [mailto:moises.silva@xxxxxxxxx] Gesendet: Mittwoch, 7. September 2005 17:04 An: Carsten Rachfahl Betreff: Re: INPUT chain doesen´t receive packets hum, im newbie in iptables, but i guess that you should be looking in the FORWARD chain. The INPUT chain is only in use when the packets are arriving to the box itself, is this the case? please by kind if i am saying stupid things :P best regards On 9/7/05, Carsten Rachfahl < cr@xxxxxxx <mailto:cr@xxxxxxx> > wrote: Hi everyone on the list. I have problems with iptables and iproute2. In my scenario I want to use a host with a dsl connection on eth0 and a lan connection eth1 for policy based routing. I want to route http traffic generated by the host itself over eth0 and the rest over eth1. To solve the problem I implement a second routing table called overdsl and route all http packets over the dsl interface. In the following you see the rules that work (proven with ethereal at the eth0 interface). iptables -A OUTPUT -t mangle -p tcp --dport http -j MARK --set-mark 0x9 iptables -A POSTROUTING -t nat -s 80.156.24.98 -p tcp --dport http -j SNAT --to 192.168.0.2 iptables -A PREROUTING -t mangle -i eth0 -d 192.168.0.2 -p tcp --sport http -j MARK --set-mark 0x9 My problem is that the answering packages from the connected web server aren't delivering to the browser process. I see them in the PREROUTING but not at the INPUT netfilter. What is going wrong? Any advice probably would help me to solve my problem. Thanks in advaced Carsten Rachfahl Rachfahl & Tielke OHG -- "Su nombre es GNU/Linux, no solamente Linux, mas info en http://www.gnu.org"; -- "Su nombre es GNU/Linux, no solamente Linux, mas info en http://www.gnu.org";
