iptables POSTROUTING doesn't match local-process replies.
 

Hello,
I need to change the source address of a reply packet leaving a machine running iptables. I am tring to accomplish this using POSTROUTING -j SNAT.

When a request comes into a server and is destined for a local process (i.e. apache, sshd, etc.) it's reply leaves the machine without ever touching the POSTROUTING chain-- the 'hit' counters (iptables -t nat -L POSTROUTING -n -v) never increment as a packet passes through, and my POSTROUTING -j SNAT rule never gets to mangle the packet's source address. POSTROUTING works file if the connection is being routed through a machine, and does not involve a local process.

I need to get this working to support a firmware-based load balancing device. In order to avoid out-of-state connections, I need to have the web server replies come from the same source address as the load balacing device's destination address, and therefore I need to translate the packets leaving the webserver.

Can any one explain to me how to get POSTROUTING to process packets leaving a local-process on a machine?

Thanks in advance.

The packets do traverse the POSTROUTING chain...
However, the NAT is effective from the first handshake and once the stream is considered ESTABLISHED, no further packets pass to the chain.

Also you may need to be more specific in the rule to define which source is going to be SNATted.
The rules work best with interface definitions...

Check out this site which give a very nice overview of the traversal of tables and chains.
http://iptables-tutorial.frozentux.net/

So, basically you're saying that if a packet already has an ESTABLISHED state, that it will then not traverse the POSTROUTING chain? This would seem to be consistent with the tests I've performed, where replies from the webserver (which, therefore are ESTABLISHED) don't seem to get modified.

Any way around this behaviour?