On Sat, Aug 27, 2011 at 7:50 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > On Sat, 27 Aug 2011 19:46:12 -0400 > Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote: >> >> I forwarded a port, using system-config-firewall. >> >> The destination machine, not surprisingly, shows the IP address of >> the firewall as the source of the connection. The goal is obtaining >> the connection's real source IP. However, on the firewall the >> forwarded connection isn't reported anywhere by netstat or ss. > > This is a DNAT forward? it should show the IP of whatever machine is > sending the request, not the firewall box in the middle. > >> After poking around, I found what I was looking for in >> /proc/net/nf_conntrack. The forwarded connection was listed there, >> showing the connection's real source IP. >> >> But grepping through /proc/net/nf_conntrack seems to be rather >> quaint. Neither netstat's nor ss's man page hint at any option that >> would report on /proc/net/nf_conntrack in some user-friendly fashion. >> Is there some other admin utility that does? > > conntrack-tools has a 'conntrack' command line tool. KF1: You missed "on the firewall." KF2: Thanks, didn't know about "conntrack". OP: You can make iptdables log your forwarding rule; that log *might* be more convenient than "/proc/net/nf_conntrack". -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
