The LOG rules I put in PREROUTING and POSTROUTING aren't logging anything!?! But I also put one in FORWARD and its logging the packets as coming from the address DNAT change the original packets to go to and destined for the original source address. This must mean the SNAT has been undone when the return packets hit the FORWARD chain but the DNAT will not be undone until the packets reach the POSTROUTING chain. This seems like a bug to me, I would expect all NAT to be undone before any routing takes place ideally before the prerouting chain. I guess I will have to think of another way to implement multiple incoming lines. Any suggestions would be appreciated. My first idea is to run a UML instance so incoming packets go through the main linux instance and are routed to the UML instance that NATs them, thus on the return they are unNATed by the UML and passed to the main instance for source routing. It sounds really nasty... Tim > -----Original Message----- > From: George Vieira [mailto:georgev@xxxxxxxxxxxxxxxxxxxxxx] > Sent: 22 May 2003 22:49 > To: Tim Saunders; netfilter@xxxxxxxxxxxxxxxxxxx > Subject: RE: UnNATing return packets > > > In the prerouting stage I assume because that is the place > where DNAT takes place. Also take note they say "PREROUTING" > for a good reason though I haven't tested it with iproute2 > and source routing but I assume they are in the same level. > Just remember that POSTROUTING is after the routing table.. > as it says in it's name (he he, gotta love those netfilter > developers).. > > Add some LOG rules matching both sets of IPs your testing. > > Thanks, > ____________________________________________ > George Vieira > Systems Manager > georgev@xxxxxxxxxxxxxxxxxxxxxx > > Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au > > -----Original Message----- > From: Tim Saunders [mailto:Tim.Saunders@xxxxxxxxxxxxxx] > Sent: Friday, May 23, 2003 12:51 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: UnNATing return packets > > > When a TCP connection goes through a netfilter firewall and > is SNATed and DNATed when do the return packets get unNATed? > i.e. a packet comes into the firewall from a client > requesting a tcp session, it is SNATed and DNATed and sent to > the server, the server sends and ack response, this gets to > the firewall. When do the original source and destination > addresses (from the session request packet) get put back? Is > it before or after routing? > > I am trying to do source routing of return packets based on > the address the client originally thought it was targeting. > Packets come in destined for 80.5.94.150 and get DNATed to > 10.136.1.7 they also get SNATed to 10.136.1.254. I have a > rule to route packets from 80.5.94.150 via a different > routing table with a default route that goes out of a > differen't line to normal but the packets still get routed > out of the normal line. It is possible my source routing is > at fault. I am using the following commands: > > I have added "15 sr1" to /etc/iproute2/rt_tables. > > # ip rule add from 80.5.94.150 table sr1 > # ip route add default via 80.5.94.129 dev eth3 table sr1 > # ip route flush cache > > One more thing that may be important eth3 has an IP in > 80.5.94.128/25 and an IP in 10.234.1.0/24 that goes to a > router for the other line. > > Any help greatly appreciated. > Tim Saunders > >
