When is the routing decision taken in relation to iptables chains?

Specifically, when there has been a request from the outside world that was dnated by the firewall, is the de-dnat done before the routing decision is made? (of course, this means I have more than one internet connection).

But I'd like to get as much information about the relation between iptables and the routing decision as possible.

Thanks!

take a look at chapter 3.1 of this iptables tutorial:

http://www.faqs.org/docs/iptables/tr...goftables.html

In table 3.2, I can see that the routing decision for packets going out a this host is made BEFORE the output chain is even touched.

That means I can't force response traffic to traffic that was REDIRECTED (to another port of this same host) to go back by one given interface.. or can I?

Let me explain myself a little better:

I'm trying this crazy thing to handle three different internet connections. Two of them are present in the same subnet and don't work in a multipath default route very well... however, One of them with the third works OK. (If you know of a multipath guru available to help me out with this, I'd appreciate it as well).

So I will set this two interfaces to handle normal traffic in a multipath route (that already works) and leave one single network interface for other things... like VPN. However, I want to be able to provide the VPN service through the other two links as well.

To be able to recognize where the VPN traffic came from, in order to respond through that same interface, I thought of using three different ports, one on each interface, that would be REDIRECTED to the openvpn service port. Then, when the traffic is going out I would mark the outgoing traffic according to the source port (remember it's a response by now) and would route the traffic according to this mark. BUT if the traffic is already chosen what route it will follow even before hitting the OUTPUT chain, It's not gonna work... right? (and if you have a better way to do this.. I'm all ears).

Right now I'm just testing if I can mark the traffic going out.

I'm REDIRECTing UDP port 2000 of interface eth2 to 1194 and port 3000 of eth3 to 1194 as well. Then.... on the mangle of OUTPUT and POSTROUTING, I added rules to mark traffic going from port 2000 and 3000] so that I could see if marking would work. I connected to the VPN using ports 2000 and 3000 of the two interfaces.... BUT

:angry:

OK.... it won't work.

But you know what, I don't give up that easily. Let's see what I can think of.

well, well... I didn't expect to write back so soon.

I have learned that when the traffic is going out from this host, there are actually TWO routing decisions. One prior to the packet traversing the OUTPUT chains.... and another after OUTPUT if the packet was changed by OUTPUT. That means that packets can be marked in OUTPUT and routed accordingly.

So I guess I will use a tunnel for each port, and then mark traffic going from this tunnels to the remote hosts. That would do.

I'll be posting my comments later once I try.

Oh... and thanks to the netfilter mail list for answering the question so kindly.