On Sat, 1 Oct 2005, Marek Zachara wrote:
udp 17 23 src=10.0.0.250 dst=84.16.64.240 sport=4569 dport=4569
packets=13426 bytes=581092 [UNREPLIED] src=84.16.64.240 dst=10.0.0.250
sport=4569 dport=4569 packets=0 bytes=0 mark=0 use=1
Then it is NAT:ed..
Probably tcpdump gets fooled and shows you the packet as received.
If in doubt try running the capture on a separate box connected with a hub
to your "outside" connection. This will give you an exact picture of what
the packets on the outside link looks like.
but still the packets dont get SNAT-ed:
irongate:~# tcpdump -ni eth0 udp port 4569
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
21:26:22.239340 IP 10.0.0.250.4569 > 84.16.64.240.4569: UDP, length: 12
To me it looks like you are looking at the packets as they arrive from the
internal network before SNAT. Nothing wrong in the above.
tcpdump -ni eth1 udp port 4569
should show you a different picture.
Regards
Henrik
