On Mon, 14 Nov 2005, Adam Rosi-Kessel wrote: > Okay--would it be sufficient to grep on port 500? conntrack tracks by port, > right? So as long as there are *no* entries in ip_conntrack for port 500 at > any point while I'm trying to make this connection, doesn't it mean that > conntrack isn't handling the packets? Yes. And if conntrack does not handle them, NAT won't do either. > I should also mention that all other NAT stuff works fine with this setup, > including FTP (passive and active), web browsing, etc.. I am also able to > DNAT inbound ssh connections to another internal machine. It's only these > inbound udp port 500 that are somehow not entering the nat table or showing > up anywhere other than in mangle PREROUTING. Try to enable internal logging by echo 255 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid and load in ipt_LOG or ipt_ULOG as logging engines. Add a logging rule to the very end of the PREROUTING chain in the mangle table: iptables -t mangle -A PREROUTING -m state --state INVALID -j LOG \ --log-prefix "INVALID packet: " and let's see the result. I suspect the UDP packets in question are marked as INVALID for some reason. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
