Hi! We are currently experiencing strange problems with DNAT in conjunction with policy routing and think that we have found a bug somewhere!
The setup is as follows: 2 Uplink gws (GW.A,GW.B) with 2 ip ranges (say A.A.A.0/24 anf B.B.B.0/24) One firewall setup like this: policy routing is set up like this: ip route add default via GW.A table 100 ip rule add from A.A.A.0/24 to default prio 100 table 100 ip route add default via GW.B table 200 ip rule add from B.B.B.0/24 to default prio 200 table 200 got one host behind with 2 Addresses assigned for A.A.A.2 and B.B.B.2 Now connecting from the outside works fine for both IP adresses. (Forwarding works) using A.A.A.2 the FW routes return-packets to GW.A using B.B.B.2 the FW routes return-packets to GW.B NOW we activate DESTINATION NAT =========================== ip tables -t nat -I PREROUTING 1 -d B.B.B.2/32 -j DNAT --to-destination A.A.A.2 And now the routing is as follows: using A.A.A.2 the FW routes packets to GW.A using B.B.B.2 the FW routes packets to GW.A SO it seems that the NAT-ed adresses are not passed to the routing core of Linux and thus the original adresses are used for the routing policy... Did we do something wrong, or is it a bug? Any Ideas? Ciao, Martin P.s: This behaviour shows up on linux 2.4.9 and 2.4.17 (stock)