On 10/16/06, Gáspár Lajos <swifty@xxxxxxxxxxx> wrote: mangle POSTROUTING comes before nat POSTROUTING so nat POSTROUTING is the last chain in a packet traversal as per: http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg So replying to your email:
1. You may do some changes on the packets... (SNAT/DNAT, etc...)
How would SNAT or DNAT help in accounting?
2.a. You have to mark or identify the packets you want to count in other chains ... (MARK target or direct rules)
Since nat POSTROUTING is the last chain I wouldn't be able to mark it after the packet is SNATte'd.
2.b. You can use the mangle POSTROUTING chain for counting specified packets because this is the "last" chain BEFORE every packet leaves the system. (I know that there is a "raw" table...)
As I said POSTROUTING mangle comes before POSTROUTING nat. If it were after it then I would have the following: iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to 192.168.0.1 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 25 -j SNAT --to 192.168.0.1 iptables -t nat -I POSTROUTING -o eth0 -p tcp --dport 443 -j SNAT --to 192.168.0.1 iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to 192.168.0.2 then I would have added iptables -t mangle -I POSTROUTING -o eth0 -s 192.168.0.1 -j ACCEPT iptables -t mangle -I POSTROUTING -o eth0 -s 192.168.0.2 -j ACCEPT which would have been a nice solution But since mangle POSTROUTING is before nat POSTROUTING, then the above wouldn't work & I would have to add a statement in mangle POSTROUTING for every nat rule: iptables -t mangle -I POSTROUTING -o eth0 -p tcp --dport 80 -j ACCEPT iptables -t mangle-I POSTROUTING -o eth0 -p tcp --dport 25 -j ACCEPT iptables -t mangle -I POSTROUTING -o eth0 -p tcp --dport 443 -j ACCEPT iptables -t mangle -I POSTROUTING -o eth0 -j ACCEPT And that's what I meant by "not very graceful". Thanks
