-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks for the reply Andrew,
Andrew Beverley said the following on 7/9/2012 00:15:
> On Sun, 2012-07-01 at 16:35 +0300, Valts Silaputnins wrote:
> <snip>
>> However the source address was still wrong. Ok so I tried to fix that by
>> adding SNAT to POSTROUTING chain. Only to realize that for some reason
>> those packets don't hit it (checked by -j TRACE...).
>
> What are your rules for this? As long as the packets are actually
> hitting that chain then I don't see why they wouldn't be sent to the
> SNAT target.
POSTROUTING nat table is pretty basic:
Chain POSTROUTING (policy ACCEPT 2503 packets, 131K bytes)
pkts bytes target prot opt in out source
destination
6 450 SNAT all -- any wan0 anywhere
anywhere to:46.109.116.xx
6 544 SNAT all -- any wan1 anywhere
anywhere to:46.109.237.xx
according to TRACE they would hit mangle table of POSTROUTING but not NAT:
//TRACE udp sport=3784
TRACE: raw:OUTPUT:policy:2 IN= OUT=wan1 SRC=46.109.237.xx
DST=213.175.115.xx LEN=228 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=3784 DPT=57341 LEN=208 UID=1001 GID=99
//CONNMARK restore
TRACE: mangle:OUTPUT:rule:1 IN= OUT=wan1 SRC=46.109.237.xx
DST=213.175.115.xx LEN=228 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=3784 DPT=57341 LEN=208 UID=1001 GID=99
//ACCEPT if mark !=0
TRACE: mangle:OUTPUT:rule:2 IN= OUT=wan1 SRC=46.109.237.xx
DST=213.175.115.xx LEN=228 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=3784 DPT=57341 LEN=208 UID=1001 GID=99 MARK=0x1
//ACCEPT
TRACE: filter:OUTPUT:policy:1 IN= OUT=wan1 SRC=46.109.237.xx
DST=213.175.115.xx LEN=228 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=3784 DPT=57341 LEN=208 UID=1001 GID=99 MARK=0x1
//policy ACCEPT, table is empty
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=wan0 SRC=46.109.237.xx
DST=213.175.115.xx LEN=228 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=3784 DPT=57341 LEN=208 UID=1001 GID=99 MARK=0x1
And that's it, TRACE doesn't show it reaching the nat table of POSTROUTING.
What I see from trace is that packet was going to go out via WAN1, had
it's mark restored, routing matched it to go via WAN0 but it didn't
reach SNAT according to TRACE.
> I don't see why it should be a problem, but you have to use SNAT in the
> POSTROUTING chain not OUTPUT. From the man page:
>
> SNAT This target is only valid in the nat table, in the POSTROUTING
> chain.
>
I wasn't precise. Of course I can't SNAT in OUTPUT chain nat table.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iEYEARECAAYFAk/6qX8ACgkQ7nq3gp3q9WPaOQCgvoWvqtrInors/VarPClOre0U
7lEAoPuQsEmfCgbJatRbUywap1aIGOw/
=BG4q
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
