Joelly Alexander a écrit : > > in other words - source-nat must be done before destination-nat, but > iptables does not allow this because the output chain with > destination-nat is handled before the source-nat from the postrouting > chain; > > does anyone know a way to solve this? You can mark the packets (-j MARK) or the connection (-j CONNMARK) in mangle/OUTPUT before DNAT, and match the packet mark (-m mark) or connection mark (-m connmark) in nat/POSTROUTING. Or you can use -m conntrack --ctorigdst to match the original destination address. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
