On December 14, 2003 12:35 pm, Jeffrey Laramie wrote: > On Sunday 14 December 2003 12:16, Antony Stone wrote: > > On Sunday 14 December 2003 4:55 pm, Jeffrey Laramie wrote: > > > On Sunday 14 December 2003 11:04, horape@xxxxxxxxxxxxxxxxxxxxxxxxxx wrote: > > > > The proxy has a udp socket bound to port 5000, and another udp socket > > > > bound to some other port, it reads from the first socket and does a > > > > sendto using the other socket (poll + read + write, no more) > > > > > > It looks like the proxy is grabbing the packets first and then dropping > > > them directly onto the INPUT chain. Try disabling the proxy and release > > > the bound ports then try it again. Once the packets reach PREROUTING > > > you can DNAT them to another port. > > > > I could ubnderstand the proxy code managing to grab the packet off the > > wire before netfilter (PREROUTING) sees it, but I don't see how it would > > then get seen by the INPUT chain - as far as I know, it's not possible > > for a packet to reach netfilter's INPUT chain without first going through > > the PREROUTING chain. If a packet bypasses one of these, it will bypass > > both. > > Well that's what I thought but I can't explain his results any other way. > What are we missing here? > My question exactly ... a silly question is : what if anything is in /proc/net/ip_conntrack for these connections? Alistair Tonner > Jeff
