On Tue, Jul 15, 2003 at 05:11:05PM +0200, lartc@xxxxxxxxxxxxxxxxxxx wrote: [snip...] > where does de-natting occur? > > i thought it was: Your thought is correct. ULOG sees the packets after the conntrack. tcpdump sees the packets before the conntrack. And de-natting occurs at the conntrack: > WIRE -- > PREROUTING [ conntrack --> mangle --> imq --> nat ] ... ^^^^ ^^^^^^^ ^^^^^^ tcpdump de-natting ULOG Take a look at "Table 3-3. Forwarded packets" in Oscar's tutorial. The order of mangle/nat is reverse for incoming and outgoing... Ramin > if i am capturing at mangle, should not the snat address be there? > > Many Many Many Thanks!! > > Charles > > > >
