Hello,

I am working on configuring a multihomed machine, and one of my goals is to redirect some outgoing TCP-traffic originating from this machine using iptables. Currently, I have got it working with UDP and if I add the rule to the output-chain of the NAT-table before I start the connection, it works.

However, sometimes I want to start doing redirection in the middle of a TCP connection and this does not seem to work. I do not get any matches to my LOG-target and the packets still go through the old interface. In other words, it somehow seems like TCP is skipping the NAT's output-chain. Does anyone have any ideas how to solve this?

The iptables rule I use is:
sudo iptables -A OUTPUT -t nat -p tcp -d 192.168.101.14 --dport 9999 -j DNAT --to 192.168.100.250:9999

Edited: I forgot to add that with my LOG-rule I only see the SYN-packet. The LOG rule is constructed like this:
sudo iptables -A OUTPUT -t nat -p tcp -d 192.168.101.14 --dport 9999 -m state --state NEW,ESTABLISHED,RELATED --sport 1024:65535 -j LOG --log-prefix "INFO,OUTPUT,NAT(tcp): " --log-level debug

Thanks in advance,
Kristian

I know on PREROUTING, only the first packet of a connection traverses the PREROUTING chain. All subsequent packets on that connection are treated in like manner w/o further inspection. I would imagine it is the same way on the nat table OUTPUT chain. If so, you can't do what you are trying to do. Even if you could do it, I don't see how it would accomplish anything since (with TCP) you would never be able to establish the connection with the DNATted address. (The syn packet would have already been sent to the un-DNATted address.)

You are correct, once conntrack marks a connection as ESTABLISHED the rest of the packets naturally skip the NAT-part. To do what I want to do I need to develop a kernel-module, fortunatly, that looks both doable and fun