On Tue, 11 Oct 2005, Ignatich wrote:
Since ipt_owner does not work in PREROUTING chain and fwmark is pointless, I thought that ipt_ROUTE from p-o-m can help me.
Using ipt_owner in PREROUTING is pointless as PREROUTING never sees any packets sent by a local application.
PREROUTING sees packets coming in from the network before any decision on what to do with the packet has been made.
ipt_owner can be used in OUTPUT/INPUT only (at least I think it can be used in INPUT, maybe not..).
CONNMARK may be what you are looking for. Allows you to mark the connection in OUTPUT and then reuse this mark in PREROUTING when packets comes back on the same connection.
Here's what I did: iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j ROUTE --gw x.x.x.x --oif eth1 But it did not work. I belive this happened because matched packets still had z.z.z.z as their source address.
You need to SNAT/MASQUERADE them.
So i tried that: iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j ROUTE --gw x.x.x.x --oif eth1 --continue iptables -t nat -A POSTROUTING -o eth1 -m owner --gid-owner adsl -j SNAT --to-source y.y.y.y
Any specific reason why you have the owner match in POSTROUTING? Shouldn't all traffic going out on eth1 be NAT:ed?
Note: You generally also need to use policy routing to keep this traffic on eth1.
Regards Henrik
