Hello,
Nishit Shah a écrit :
I have following iptable rule in system.
iptables -I PREROUTING -t nat -p tcp --dport 443 -j REDIRECT
--to-ports 3128
kernel - 2.6.16.13
I am using following scenario for load testing
192.168.206.200 -----> 192.168.121.125 -----> 72.14.223.83
Client iptables/proxy server server
and I am getting following entry through conntrack binay as well as
in /proc/net/ip_conntrack
[NEW] tcp 6 120 NONE src=192.168.206.200 dst=72.14.223.83
sport=63423 dport=443 packets=1 bytes=48 [UNREPLIED] src=192.168.121.125
dst=192.168.206.200 sport=3128 dport=46873 packets=0 bytes=0 id=28187887
Now here original and reverse tuples are -->
Original tuple 192.168.206.200:63423->72.14.223.83:443
Reply tuple 192.168.121.125:3128->192.168.206.200:46873
So, here destination port of reverse tuple is 46873. Is it correct ?
Yes. NAT may implicitly change the original source port in order to
avoid a clash with an existing connection. However the original port
will be restored in reply packets before they leave the box, so the
client won't see anything. Remember that the tuples in ip_conntrack
contain the addresses and ports when packets enter the PREROUTING or
OUTPUT chains, not when they leave the POSTROUTING or INPUT chains.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
