> > > > It looks like the proxy is grabbing the packets first and then dropping > > > > them directly onto the INPUT chain. Try disabling the proxy and release > > > > the bound ports then try it again. Once the packets reach PREROUTING > > > > you can DNAT them to another port. > > > I could ubnderstand the proxy code managing to grab the packet off the > > > wire before netfilter (PREROUTING) sees it, but I don't see how it would > > > then get seen by the INPUT chain - as far as I know, it's not possible > > > for a packet to reach netfilter's INPUT chain without first going through > > > the PREROUTING chain. If a packet bypasses one of these, it will bypass > > > both. > > Well that's what I thought but I can't explain his results any other way. > > What are we missing here? > My question exactly ... > a silly question is : > what if anything is in /proc/net/ip_conntrack for these connections? udp 17 179 src=200.68.94.100 dst=200.61.169.146 sport=5000 dport=18416 src=200.61.169.146 dst= 200.68.94.100 sport=18416 dport=5000 [ASSURED] use=2 (200.68.94.100 is my ip) > Alistair Tonner Saludos y gracias, HoraPe --- Horacio J. Peņa horape@xxxxxxxxxxxxxxxxx horape@xxxxxxxxxx
