On Thu, Nov 10, 2005 at 02:18:34PM +1100, Alexander Samad wrote: > On Wed, Nov 09, 2005 at 08:59:37PM -0500, Adam Rosi-Kessel wrote: > > Adam Rosi-Kessel wrote: > > > I'm troubleshooting an issue of accessing a VPN through NAT. Right now the > > > problem can be reduced to the following question: > > > Under what conditions would inbound packets not be routing through the nat > > > PREROUTING chain? > > I should add that, just for debugging purposes, the default policy for all > > chains is set to ACCEPT. There are also no DROP rules anywhere in any table > > (again, just for debugging). > my understanding is that the NAT table only sees the initial packets of > a connection Is that the only situation in which an inbound packet that shows up in tcpdump would not show up in an itables nat PREROUTING log? I also tried adding a raw table entry to prevent connection tracking, as follows: iptables -t raw -A PREROUTING -p udp --dport 500 -j NOTRACK But the iptables nat PREROUTING log still did not show any of the inbound packets. > if this is ipsec it could be a ipsec problem ? Well, the NAT box is not running IPSec. I'm trying to diagnose an IPSec problem involving the client and the server, but for various reasons I can't make the NAT box the IPSec endpoint. It shouldn't be that difficult because I only have one box inside the LAN with a fixed NAT IP address that needs to connect to the VPN server, and so I'm trying to direct udp 500 right to that client, but the problem seems to be the inbound packets are not even entering the PREROUTING chain. -- Adam Rosi-Kessel http://adam.rosi-kessel.org
