Re: netfilter resets TCP conversation that was DNATed from the localmachine to another

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Alistair Tonner wrote:
On June 30, 2003 04:07 pm, Michael wrote:
  
The OUTPUT chain in the nat table is

Chain OUTPUT (policy ACCEPT)
 target prot opt in out source     destination
 DNAT   tcp  --  *  *   0.0.0.0/0  1.2.3.5     multiport dports 80,443
to:192.168.0.8 DNAT   tcp  --  *  *   0.0.0.0/0  1.2.3.6     multiport
dports 80,443 to:192.168.0.9
    
	Please read this page
	
	http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-3.html
I've read it before. How is it relevant?
	Why are you DNATting in OUTPUT?
Because the packets are originating on the firewall, from Squid. Squid thinks xxx.org is at 1.2.3.5, so DNAT is needed to change that to 192.168.0.8.

I also have identical rules in the PREROUTING chain of the nat table, if you were wondering. Those rules work for requests from the Internet.

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux