On Friday 01 November 2002 2:45 pm, Joel Newkirk wrote: > On Friday 01 November 2002 03:58 am, Antony Stone wrote: > > On Friday 01 November 2002 6:08 am, Joel Newkirk wrote: > > > Question to list: At what point in its own travels does the returning > > > packet get automatically un-DNATed? Prerouting again? > > > > No, it happens in POSTROUTING - because it is then a SNAT operation. > > > > Useful rule of thumb - in the FORWARD chain, all packets have their > > "real" IP addresses. > > > > That's because DNAT rules have already happened in PREROUTING, so packets > > now have the destination address of the machine they're really being sent > > on to, and SNAT rules have not yet happened in POSTROUTING, so packets > > still have the source address of the machine they really came in from. > > Is there any chance then of interference from a masquerade rule in > postrouting? Or do the automatic reversals take precedence? Automatic reversals take precedence. Reply packets are matched by the entry in the connection tracking table (the entry which identifies them as ESTABLISHED or RELATED), and are immediately diverted away in the background to be processed. A side effect of this is that there is no way of specifying a manual rule in the nat tables which will get applied to reply packets (other than the automatic reverse of what got applied to the outgoing packet). Antony. -- You can spend the whole of your life trying to be popular, but at the end of the day the size of the crowd at your funeral will be largely dictated by the weather. - Frank Skinner
