On Thu, 10 Nov 2005, Sandro Dentella wrote: > On Wed, Nov 09, 2005 at 08:57:45PM -0500, Adam Rosi-Kessel wrote: > > I'm troubeshooting an issue of accessing a VPN through NAT. Right now the > > problem can be reduced to the following question: > > > > Under what conditions would inbound packets not be routing through the nat > > PREROUTING chain? > > That's a problem that puzzles me too. Packets which cannot be associated with any existing connection known by the conntrack subsystem will traverse the NAT table. If a packet is related to any connection, which can mean: - the packet belongs to a connection - it is an ICMP error packet about a connection - it is a packet of a channel (like FTP data), which can be associated to a connection by an appropriate helper module then that packet won't enter the NAT table. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
