On Mon, 2004-01-19 at 16:21, Jeffrey Laramie wrote: > Johan Ankarloo wrote: > > >Hi > > > >Does anyone know how to log a DNAT/SNAT connection? When logging a NAT > >connection you also want to know the origin source/destination/port of > >that packet. Is that possible? > > > > > > > > Sure. The easiest way to do it is to add a matching log rule just before > the nat rule: > > iptables -t nat -A POSTROUTING -o $Net_Interface -j LOG --log-prefix > "SNAT: " > iptables -t nat -A POSTROUTING -o $Net_Interface -j SNAT --to $Net_IP > > Jeff The problem is when doing this is that you doesn't get the original source/destination or the translating adress. If you look at the logs you can't see all the information that you need to be able to debug any problem or to be able to track that connection back to the user. What i was looking for was a way to have more information in the logs from that specific connection. The information that needs to be there is: OriginSource OriginSPort OriginDestination OriginDPort TranslatedSource TranslatedSPORT TranslatedDest TranslatedDPort Regards Johan
