On a machine acting as a bridge, I want to intercept calls to a specific IP address, and serve them locally. So, the bridge config looks like (e.g.) 10.10.0.1/29 ethernet eth0 tap1.1 10.10.0.2/29 default router <-------------> br0 bridge <---------> testbox | 192.200.3.2/24 | eth1 V second default router (192.200.3.1/24) I have control over the bridge running br0, and I want to intercept on the bridge tcp requests to (e.g.) 192.0.200.1:80, and remap them locally to (e.g.) 192.0.200.2:8080. What I want to achieve is that when testbox makes a connection to 192.0.200.1:80, this is remapped by SNAT and DNAT within the bridge so that 192.0.200.2 sees a connection to its port 8080 coming from 192.200.3.2 (i.e. the public IP of the bridge). I have a config which works if I put an IP address on the bridge's ethernet interface of (e.g.) 10.10.0.3/29 (*) The main components are: # masquerade on the output interface iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE # allow backtrafic back in iptables -A FORWARD -i eth1 \! -o eth1 -m state \ --state RELATED,ESTABLISHED -j ACCEPT # Rewrite destination address and port iptables -t nat -A PREROUTING --p tcp --match multiport --dports 80 \ -d 192.0.200.1 -j DNAT --to 192.0.200.2:8080 This all works fine, but my problem is that I can't put an IP interface on the ethernet interface (i.e. I can't do the step labeled (*) above) because I don't know how the network is numbered (here it's labeled 10.10.0.0 but I don't know what the true labeling is). So I am trying to use ebtables (which I am less familiar with) to turn the bridge into a brouter. I use this: ebtables -t broute -A BROUTING -p IPv4 --ip-dst 192.0.200.1 \ -j redirect I think what that should do is redirect the MAC address for requests to the IP address to the internal brouter, and indeed it seems to work. My problem is on return traffic. The brouter unmangles the IP addresses correctly, and wants to send traffic back to 10.10.0.2. However, it does this by looking in the internal routing table, which results in the packet being sent out of eth1 (not tap1.1) whereupon bad things happen. This is because the machine doesn't (and can't) have a route to 10.10.0.0/24, so doesn't know what interface to send it out of. What I really want is for the masquerade line to remember not only the input IP address but also the input interface associated with the connection, and ignore the routing table. I am, however, open to any other ideas. I should say that the bridge box concerned carries hundreds of VLANs - I am happy using connmark to track traffic, but I can't see how to match connmark in iptables and use that to set output interface and output mac address. -- Alex Bligh -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html