Hello, Ben Greear a écrit :
iptables -A POSTROUTING -t nat -j MASQUERADE -m mark --mark 10001 iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 10001 iptables -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 10001
[...]
If virtual router 1 is routing pkts from 1.1.1.1 to 2.2.2.2, and virtual router 2 is routing pkts from 1.1.1.1 to 2.2.2.2, and I only want to NAT pkts leaving virtual router 1, then I think I have to somehow force different ct tuples based on which virtual router the pkts are flowing through. I was trying to do this by MARKing packets entering a device in a particular virtual router and using the mark as part of the tuple....
From what you wrote I understand you need a sort of separate connection tracking for each "virtual router". But I am afraid it cannot be done with MARK, because packet classification by the connection tracking takes place before the packet reaches the mangle PREROUTING (or OUTPUT) chain.
