Unmatchable packet?

Philip Craig philipc at snapgear.com
Wed Nov 23 08:19:20 CET 2005

On 11/23/2005 05:03 PM, Jesse Gordon wrote:
> I agree -- to do as my little example showed would be useless -- but my
> real goal is to route the reply traffic via a different route than the
> request traffic -- I already got it to send the replies out a different
> network interface then the requests came in, but I haven't yet figured out
> how to rewrite the source address of the replies.

Why do you need to rewrite the address?
Just routing the packet should be enough, unless there is an
intermediate firewall that is dropping the packets based on the
source address.

> I don't quite understand why iptables wouldn't be able to match just any
> packet going into or out of any given network card, regardless of whether
> it was related to any other packet or not.
> I may be a little confused. It seems to me that my experiments showed that
> the act of permitting a certain packet criteria to exit a specified
> ethernet port does not inherently permit the responses for that connection
> back in. It seems to me that I had to either tell it to allow related in,
> or specifically allow the replies back. I'll check into it more.

I think you are confusing the nat and filter tables.

The nat table only sees the first packet of a connection, because it
is designed to set up the nat mapping based on the first packet only.

The filter table does see every packet, which is why you need the rule
to allow established/related packets.

The mangle table also sees every packet.  It would be possible to write
a custom target for use in the mangle table that changes the source
address as you desire.  However, noone has written such a target as
far as I know.

More information about the netfilter mailing list