Jan Engelhardt wrote:
Assuming that the outbound server is the default gateway for the web server and
receives the return traffic, of course.
You'd be kinda screwed if that was not the case. Because the 'nat' table
is only consulted for NEW connections afaics, the reply packets do _not_
get SNATed, since the _first_ packet was the TCP SYN, which makes the
connection ESTABLISHED when input processing is done.
The webserver has its own gateway, and that's not the outer box. You
seem to be describing the exact problem i'm seeing in tcpdump; new
connections get snat'ed, 'forwarded' connections do not.
Is there really no solution for this?
Bas
