On Sun, 13 Mar 2005 14:34:52 +0100, Sietse van Zanen <sietse@xxxxxxxxx> wrote: > Because netfilter is a stateful firewall basically. > It logs the first per NEW and marks the latter as RELATED,ESTABLISHED. > But every new ping, is a new connection, not relate to the other ping !!! It is not a ping-pong-ping-pong It is ping-pong ping-pong May be I am wrong !!! > Only packets that match the NEW state will increment the counters. It counts how many connections have been set-up. Not how many packets belonging to a connection pass. These will be counted in a -j ACEEPT --state RELATED,ESTABLISHED rule, if present. > > You could bypass this by creating stateless rule, but that would defeat the purpose of a stateless firewall. > > -----Original Message----- > From: Mohamed Eldesoky [mailto:eldesoky.lists@xxxxxxxxx] > Sent: Sunday, March 13, 2005 2:21 PM > To: Sietse van Zanen; netfilter > Subject: Re: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain) > > On Sun, 13 Mar 2005 13:14:31 +0100, Sietse van Zanen <sietse@xxxxxxxxx> wrote: > > What do you see, when you tcpdump on your external interface? (tcpdump -I eth0). Can you see natted packets exiting that interface? > > > > The reason, that you only see 4 packets in the iptables -t nat -L is that if you fire off 10 pings, iptables will see the latter 9 as belonging to the same connection and therefor only logs 1. > > How come ??? > > > > > It might be as simple, that the host you are trying to ping is just unpingable. > > > > Specify some more info, like what you are trying to ping, traceroute -I output. > > > > -----Original Message----- > > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Mårten Segerkvist > > Sent: Sunday, March 13, 2005 1:01 PM > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: RE: NAT doesn't work (only a fraction of the forwarded packets reach the postrouting chain) > > > > On Sun, 13 Mar 2005, Sietse van Zanen wrote: > > > > > From man iptables: > > > MASQUERADE > > > This target is only valid in the nat table, in the POSTROUTING chain. > > > It should only be used with dynamically assigned IP (dialup) > > > connections: if you have a static IP address, you should use the > > > SNAT target. > > > > > > Try using regular SNAT rule: > > > > > > Iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT > > > --to-source:your.pub.ip.addr > > > > > > > Now using: > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > modprobe ipt_MASQUERADE > > modprobe iptable_filter > > iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT \ > > --to-source 81.172.241.145 > > iptables --append FORWARD --in-interface eth1 -j ACCEPT > > > > This gives me the same result as previosly. What confuses me further is > > that no packets seems to be accepted from the wlan-interface. > > > > > iptables -L -v > > > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > > destination > > 125 5000 ACCEPT all -- wlan0 any anywhere > > anywhere > > > > > iptables -t nat -L -v > > > > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) > > pkts bytes target prot opt in out source > > destination > > 4 295 SNAT all -- any eth0 anywhere > > anywhere to:<IP> > > > > As before, I'd be most grateful for any suggestions! > > > > /Mårten Segerkvist > > > > > > -- > Mohamed Eldesoky > www.eldesoky.net > RHCE > > -- Mohamed Eldesoky www.eldesoky.net RHCE
