On Mar 28 2007 07:51, Ray Leach wrote:
>
>I tried both methods - iptables using the ROUTE target as well as using
>iptables to mark the packets, then using iproute2 to lookup and route
>using a table with an ip fwmark rule.
>
>In both cases, the traffic is routed out and return traffic comes back
>in the correct interface, but it does not get NATed backed to the
>client.
>
>iptables -A FORWARD -i eth0 -p tcp --dport 80 -s 10.0.0.3 -j ACCEPT
>iptables -A FORWARD -i eth4 -p tcp --sport 80 -d 10.0.0.3 -j ACCEPT
>
>iptables -A FORWARD -t mangle -p tcp --dport 80 -s 10.0.0.3 -j MARK
>--set-mark 0x4
The routing decision is done before the FORWARDing chain is entered.
Try moving the MARK to INPUT.
>iptables -A POSTROUTING -t nat -o eth4 -p tcp --dport 80 -s 10.0.0.3 -j
>SNAT --to 10.1.0.2
>
>ip rule del fwmark 4 table 4 priority 32000
>ip route flush table 4
>ip route add table 4 default via 10.1.0.1
>ip rule add fwmark 4 table 4 priority 32000
>ip route flush cache
>
>
>What am I doing wrong?
>
>Looking in /proc/net/ip_conntrack I can find an entry for http traffic
>from machine at ip 10.0.0.3 created by the SNAT rule above. When the
>traffic returns back in eth4 it seems to disappear on the firewall ...
Jan
--
|