Temporarily, I put wide open logging commands in mangle/PREROUTING (the return packets show up there) and in nat/PREROUTING (they don't show up there). I am wondering how it is possible that packets get though mangle/PREROUTING but don't make it to nat/PREROUTING. According to all the information I have found about iptables, that should be impossible.

There are loads of instructions on the Internet for configuration IPROUTE2 and/or IPTABLES to support multiple WANs. Unfortunately, none seem to be complete in providing configurations that properly support both outgoing and incoming connections while automatically routing to the appropriate WAN.

The mechanism I am using uses setting connmark in iptables, and using fwmark in iproute2.

I have gotten it working to the point that if you specify the correct interface when opening a socket, all will be well for outgoing packets, and connections initiated on the WAN side always work fine. Now I am trying to add necessary routing so certain outgoing addresses will always go out through a particular interface. For example, "ping <special-address>", or "telnet <special-address>. The outgoing routing works fine, but the return packets, although they can be seen in Wireshark, disappear. My plan was to use nat/PREROUTING to re-route the return packets back to the interface nominally used for output - but the packets never make it back to nat/PREROUTING.

So I put wide open logging commands in mangle/PREROUTING (the return packets show up there) and in nat/PREROUTING (they don't show up there). I am wondering how it is possible that incoming packages get though mangle/PREROUTING but don't make it to nat/PREROUTING? According to all the information I have found, that should be impossible.

Again, everything seems to work fine except packets are disappearing between mangle/PREROUTING and nat/PREROUTING.

Centos 6.0 latest updates: 2.6.32-71.29.1.el6.x86_64

Help!!

there once was this guy

over his head with networks

ip tables ... phew!

One problem, as it turns out,was that the kernel is actually doing a bunch of filtering operations and dropping what it considers to be bad or suspicious packets. Turning off "reverse path filtering" on the affected interfaces eliminated this particular problem. However, there are more such issues which I still have not tracked down. Packets simply diappear between theoretically consecutive iptables tables without warning.

Does anyone know where there is a complete list of all packet filtering done by the Linux kernel, aside from the explicit rules in iptables tables?