Hello!

I have the following problem with iptables in Debian 6:

My server works as a router and it needs to log server external IP+port for all outgoing connections.

But after command SNAT or MASQUERADE traffic is "lost".
I mean no following rules can catch those traffic.
Everything looks like SNAT/MASQUERADE is the "end" rule and it pushes traffic to network immediately.

Question:

How can I log routed connection data with server external IP and port?

Please post your complete rule set instead of talking about the problem.

These are rules from nat table:

-A POSTROUTING -p tcp -s 10.0.0.0/8 --syn -j MARK --set-mark 4
-A POSTROUTING -m mark --mark 4 -j LOG --log-prefix "TCPLO1 " --log-level debug
-A POSTROUTING -s 10.0.0.0/8 -o eth0 -j SNAT --to-source 12.23.34.56
-A POSTROUTING -m mark --mark 4 -j LOG --log-prefix "TCPLO2 " --log-level debug
-A POSTROUTING -p tcp --syn -j LOG --log-prefix "TCPLO3 " --log-level debug

First rule marks routed connection
second - logs marked connection but it don't contain IP and port selected by NAT.
third - executes SNAT
and next line don't log anything but should log marked connection
last line should log any connections and it logs server's own traffic and not routed connections

Are you certain that should be the case? Hasn't the first packet in the connection already exited the chain by the SNAT target?

I'm not sure.

But I need to log those first packet leaving the chain.

Then according to how the NAT table POSTROUTING chains works just having
should do AFAIK.