On 2013-10-04, Grant Edwards <grant.b.edwa...@gmail.com> wrote:
> On 2013-10-04, Kerin Millar <kerfra...@fastmail.co.uk> wrote:
>> On 04/10/2013 21:55, Grant Edwards wrote:
>
>>> I then add an iptables rule like this:
>>>
>>> iptables -A OUTPUT -t mangle -p tcp --dport 80 -j MARK --set-mark 1
>
> I'm about to try adding a second iptables rule to us the nat table to
> rewrite the source IP address. Something like this:
>
> iptables -A POSTROUTING -t nat -o net2 -m mark --mark 1 -j SNAT --to
> 172.16.1.2
I also tried
iptables -A POSTROUTING -t nat -o net2 -p tcp --dport 80 -j SNAT --to
172.16.1.2
[I don't think the second rule is quite right, though, since it will
also match packets that _don't_ need to have the source IP
re-written.]
Both produced the same results: outbound packets look correct (they
have a source address that's valid for the net2 interface). But,
inbound packets don't seem to reach the TCP stack:
SYN goes out
SYN/ACK comes back
SYN gets resent
SYN/ACK comes back
SYN gets resent
SYN/ACK comes back
The src/dst addresses in both the outbound SYN and the inbound SYN/ACK
look right. Do I need another iptables rule to rewrite the
destination IP on the inbound packets?
--
Grant Edwards grant.b.edwards Yow! Does someone from
at PEORIA have a SHORTER
gmail.com ATTENTION span than me?
