Hi Ramin, Thanks for the clarification -- I had thought that it was done in "nat" Cheers Charles On Tue, 2003-07-15 at 17:40, Ramin Dousti wrote: > On Tue, Jul 15, 2003 at 05:11:05PM +0200, lartc@xxxxxxxxxxxxxxxxxxx wrote: > > [snip...] > > > where does de-natting occur? > > > > i thought it was: > > Your thought is correct. ULOG sees the packets after the conntrack. > tcpdump sees the packets before the conntrack. > And de-natting occurs at the conntrack: > > > WIRE -- > PREROUTING [ conntrack --> mangle --> imq --> nat ] ... > ^^^^ ^^^^^^^ ^^^^^^ > tcpdump de-natting ULOG > > > Take a look at "Table 3-3. Forwarded packets" in Oscar's tutorial. > The order of mangle/nat is reverse for incoming and outgoing... > > Ramin > > > if i am capturing at mangle, should not the snat address be there? > > > > Many Many Many Thanks!! > > > > Charles > > > > > > > >
