On Mar 28 2007 07:51, Ray Leach wrote: > >I tried both methods - iptables using the ROUTE target as well as using >iptables to mark the packets, then using iproute2 to lookup and route >using a table with an ip fwmark rule. > >In both cases, the traffic is routed out and return traffic comes back >in the correct interface, but it does not get NATed backed to the >client. > >iptables -A FORWARD -i eth0 -p tcp --dport 80 -s 10.0.0.3 -j ACCEPT >iptables -A FORWARD -i eth4 -p tcp --sport 80 -d 10.0.0.3 -j ACCEPT > >iptables -A FORWARD -t mangle -p tcp --dport 80 -s 10.0.0.3 -j MARK >--set-mark 0x4 The routing decision is done before the FORWARDing chain is entered. Try moving the MARK to INPUT. >iptables -A POSTROUTING -t nat -o eth4 -p tcp --dport 80 -s 10.0.0.3 -j >SNAT --to 10.1.0.2 > >ip rule del fwmark 4 table 4 priority 32000 >ip route flush table 4 >ip route add table 4 default via 10.1.0.1 >ip rule add fwmark 4 table 4 priority 32000 >ip route flush cache > > >What am I doing wrong? > >Looking in /proc/net/ip_conntrack I can find an entry for http traffic >from machine at ip 10.0.0.3 created by the SNAT rule above. When the >traffic returns back in eth4 it seems to disappear on the firewall ... Jan --
