Hi, i had a similar problem with our setup. The problem is i think that the routing decision on the linux box is made before the address in the packet is changed back to 1.2.3.3. So it doesn't use the source policy routing entry. I solved this by using the connmark module from iptables and then do routing based on the mark. The following should work in your setup: iptables -t mangle -I PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark iptables -t mangle -I PREROUTING -i eth1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1 ip rule add fwmark 1 lookup eth1_up This will route everything that entered via eth1 back via eth1. Greetings, jeroen
