[snip] > > The above takes care of the control connection only. Since the > > Internet machine believes it is accessing an FTP server on the > > firewall itself, the latter is addressed by its FTP control > > connection. This means that the packets cross the firewall's INPUT > > chain, before they can be DNATed in the PREROUTING chain. I'm not > > entirely sure about the outbound packets, but most things netfilter > > apart from NAT require symmetric rules, so I suppose you need an > > OUTPUT rule to match the INPUT one. > > I don't see how this would be. The first chain that a packet > entering > the firewall hits is mangle-PREROUTING, second is nat-PREROUTING. At > that point it is DNATted, and then hits a routing decision that > determines if it is local or not, IE INPUT or FORWARD. It > should never > 'cross' INPUT at all, unless my understanding (and most sources I've > read, and traversal tests performed) is faulty. Then that's where our impression differs. I have thought up to now that INPUT is hit before PREROUTING before FORWARD before POSTROUTING before OUTPUT. And that a packet may stop being processed between PREROUTING and FORWARD as well as between POSTROUTING and OUTPUT. I may check the one NATing firewall I have running.. later. Cheers, Tobias
