I'm troubeshooting an issue of accessing a VPN through NAT. Right now the problem can be reduced to the following question: Under what conditions would inbound packets not be routing through the nat PREROUTING chain? These packets are arriving on inbound UDP port 500. They show up with tcpdump, but when I add a log rule, e.g. iptables -t nat -I PREROUTING -p udp -j LOG The packets are not logged. (They are also not DNAT'd to the proper internal host, but that makes sense if they're not reaching the PREROUTING chain at all). I have nothing in the mangle table. I am not running any IPSec services on the NAT box. There is nothing between the NAT box and the Internet. Most of the iptables tutorials warn against filtering in nat PREROUTING, because "it will be bypassed in certain cases." But what cases are those? The iptables LOG targets are working generally--traffic coming from the internal client to the NAT box and then the NAT box to the external VPN server are all logged. The only thing that is not being logged--and presumably not arriving at the nat PREROUTING chain--are the inbound packets. Yet they are definitely arriving, as tcpdump -i eth0 indicates. Any suggestions? -- Adam Rosi-Kessel http://adam.rosi-kessel.org
Attachment:
signature.asc
Description: OpenPGP digital signature
