> -----Ursprüngliche Nachricht----- > Von: Pablo Neira Ayuso [mailto:pablo@xxxxxxxxxxxxx] > Gesendet: Donnerstag, 12. Januar 2012 03:47 > An: Fiedler Roman > Cc: netfilter-devel@xxxxxxxxxxxxxxx > Betreff: Re: Ulog/filter device name does not match effective device name > of data flow: expected? > > On Tue, Jan 10, 2012 at 02:04:12PM +0100, Fiedler Roman wrote: > > Hi, > > > > Just a question, if this is intended behavior in NAT/logging with ulog/filter, I > know it should be some border case: > > > > > > In test environment, all 10/8 IPs are routed via lo by default to avoid test > data from 10/8 net leaving the host. > > > > 10.0.0.0/8 dev lo scope link src 10.0.0.1 > > > > To allow some connections to reach machines outside, these connections > are natted, e.g. > > > > Iptables -t nat -A OUTPUT -o lo -d 10.0.0.5 -p tcp -m tcp --dport 80 -j DNAT - > -to-destination xxx.172:80 > > > > This allows to create the connection, but with two side effects: > > > > Although the package leaves via eth0, ulog will report OUT=lo: > > > > Jan 10 12:06:13 v3lsn1105 iptables:ACCEPT-INFO IN= OUT=lo MAC= > SRC=10.xx.xx.3 DST=xxxx.172 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=46425 CE > DF PROTO=TCP SPT=48808 DPT=80 SEQ=1237479374 ACK=0 WINDOW=32792 > SYN URGP=0 > > You forgot to paste your NFLOG rule. Where is it? Sorry about that: * Accept and log chain: Iptables -A ACCEPT-INFO -j ULOG --ulog-prefix "iptables:ACCEPT-INFO" Iptables -A ACCEPT-INFO -j ACCEPT * Accept TCP chain: Iptables -A ACCEPT-INFO-TCP -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT-INFO Output rule: * Iptables -A OUTPUT -s 10.xx.xx.3 -d xxxx.172/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT-INFO-TCP -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
