Not sure if that is what you want, but I'll give it a shot, try and pray :-) I guess you can't change IP address before routing. NAT is allowed in POSTROUTING first time for a local process, I think. Maybe you can do it that way: At the target machine, after the local process (application) has send a packet, mark the packages before they are routed: iptables -t mangle -A OUTPUT -o eth0 -p tcp -m tcp --dport YOUR_SMNP_PORT -j MARK --set-mark snmp You will be able to handle only these marked packages in a seperate routing table (YOURTABLE). edit /etc/iproute2/rt_tables and add a new table with a lower number there. Ater that, add a default route to the routing table you like to use: ip route flush table YOURTABLE # default route for this table only ip route add table YOURTABLE default dev MANAGEMENTIF # all those snmp packages use the new table. ip rule add fwmark snmp table YOURTABLE ip route flush cache Now, all packets which are marked with "snmp" will be routed following the instructions found in YOURTABLE and leaving via MANAGEMENTIF. If you need it, you could do natting after that (-t nat -A POSTROUTING). If you can't get through, you have to # Disable reverse path filtering net.ipv4.conf.all.rp_filter = 0 This is a sec feature to avoid ip spoofing. Take a look here: http://www.sysresccd.org/Sysresccd-Networking-EN-Destination-port-routing > The reply > packet is then routed out the service interface because of the source > IP. I have numerous packet traces verifying that this is the behavior. > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
