On Sun, 9 Apr 2006 15:56:02 +0200 Jeroen Elebaut <jeroen@xxxxxxxxxxx> wrote: > i had a similar problem with our setup. The problem is i think that > the routing decision on the linux box is made before the address in > the packet is changed back to 1.2.3.3. So it doesn't use the source > policy routing entry. I solved this by using the connmark module from > iptables and then do routing based on the mark. The following should > work in your setup: > > iptables -t mangle -I PREROUTING -m conntrack --ctstate > ESTABLISHED,RELATED -j CONNMARK --restore-mark > iptables -t mangle -I PREROUTING -i eth1 -m conntrack --ctstate NEW > -j CONNMARK --set-mark 1 > > ip rule add fwmark 1 lookup eth1_up I already found out this: iptables -t mangle -A PREROUTING -i eth1 -d 192.168.201.3 \ -j CONNMARK --set-mark 1 iptables -t mangle -A PREROUTING -i eth2 -s 10.0.2.1 \ -j CONNMARK --restore-mark > This will route everything that entered via eth1 back via eth1. And indeed that was the solution. Thnx! R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+