On Tuesday 2008-09-23 06:13, Julius Volz wrote: > >Any ideas why the first packets never appear in the POSTROUTING chain >but the ACK does? It is not the first packet of the TCP connection that will show up in the nat table, it is the first packet of the *tracked* connection, which may not match the boundary of the classical connection. Like... -t raw -A PREROUTING -p tcp --tcp-flags SYN,ACK,RST,FIN SYN -j NOTRACK -t raw -A PREROUTING -p tcp --tcp-flags SYN,ACK,RST,FIN SYN,ACK -j NOTRACK Will cause the exact behavior that the 3rd packet that would match --tcp-flags SYN,ACK,RST,FIN ACK will be the one showing up in the nat table. As such, it might be worth looking at the LOGMARK target in Xtables-addons which will print out whether such a connection even exists/has been untracked. Alternatively, if you don't mind typing lots, -t mangle -A PREROUTING -m conntrack --ctstate INVALID \ -j LOG --log-prefix "this won't shop up in nat: " -t mangle -A PREROUTING -m conntrack --ctstate UNTRACKED \ -j LOG --log-prefix "neither will this: " -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
