ROUTE target and --continue
Jason Opperisano
opie at 817west.com
Tue Feb 22 15:24:05 CET 2005
On Tue, 2005-02-22 at 05:50, BERTRAND Joël wrote:
> Hello,
>
> I'm trying to use ROUTE target with SNAT. For me, ROUTE works very
> fine without --continue, but I need to add SNAT. Without SNAT, all
> routed packets come from 192.168.0.130 and they have to come from
> 192.168.1.1...
>
> Without --continue, they are good routed. To do SNAT, I have added
> --continue and I obtain :
>
> Root kant:[/var/lib/iptables] > iptables -t mangle -n -v -L | grep ROUTE
> 7 280 ROUTE tcp -- * * 192.168.0.130
> 0.0.0.0/0 tcp spts:3000:3001 ROUTE gw:192.168.1.254
> continue
>
> Root kant:[/var/lib/iptables] > iptables -t nat -n -v -L | grep LOG
> 0 0 LOG tcp -- * * 192.168.0.130
> 0.0.0.0/0 tcp spts:3000:3001 LOG flags 0 level 4 prefix
> `SNAT : '
>
> Look at "0" on the nat table... And without --continue, I can see my
> packets on eth2 (192.168.1.1). With continue, no one packet... Where
> is the mistake ?
probably somewhere other than the two rules you showed us. "-j ROUTE
--continue" makes the ROUTE target a non-terminating match--so that
packets will continue traversing rules *** in that chain ***.
since your -j ROUTE rule is in -t mangle (somewhere), and the LOG rule
is in -t nat POSTROUTING, the --continue won't have any effect on
whether the packet traverses nat rules or not.
again--you don't specify which chain of mangle your ROUTE rule is in,
but if it's in POSTROUTING, even if it worked the way you are assuming,
mangle POSTROUTING is *after* nat POSTROUTING.
need more info--ideally:
iptables -t mangle -vnxL && iptables -t nat -vnxL && iptables -vnxL
-j
--
"I'm better than dirt. Well, most kinds of dirt... not that fancy
store-bought dirt... that stuff's loaded with nutrients, I... I
can't compete with that stuff."
--The Simpsons
More information about the netfilter
mailing list