On Tue, 15 Nov 2005, Adam Rosi-Kessel wrote: > Jozsef: By the way, I'm unable to email you directly either from my > personal account or from gmail. I assume that is by design, but I thought > I'd mention it just in case. *.dsl.speakeasy.net is blacklisted at our campus. > No luck with logging, but I don't seem to have > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid > even with ipt_LOG or ipt_ULOG loaded. > > I'm running kernel 2.6.8-2-k7 from Debian Stable, iptables v1.2.11. Try to upgrade to a newer kernel. > I did try adding the LOG rule to mangle PREROUTING for INVALID packets > but there was no result. That means the packets are not INVALID then. Drop the INVALID state matching part from the logging rule and repeat the test. > Below is the output of everything I can think of that would be relevant. [...] > # netstat-nat -n | grep 500 > udp LOCAL_CLIENT:500 SERVER:500 ASSURED The connection is in the conntrack table and the NAT rule was applied. Good. But next time please send the output of 'grep port=500 /proc/net/ip_conntrack' instead. > # tcpdump -i any 'udp port 500' > 18:40:06.977738 IP LOCAL_CLIENT.500 > SERVER.500: isakmp: phase 1 I agg > 18:40:06.977836 IP EXTERNAL_IP_OF_NAT_BOX.500 > SERVER.500: isakmp: phase 1 ? agg Packet natted and sent out. > 18:40:07.620295 IP SERVER.500 > EXTERNAL_IP_OF_NAT_BOX.500: isakmp: phase 1 R agg > 18:40:15.154788 IP SERVER.500 > EXTERNAL_IP_OF_NAT_BOX.500: isakmp: phase 1 R agg Server responds but it seems the firewall does not forward the packet. I have no better idea than repeating the test with general logging in the mangle table. You mentioned the raw table earlier. What is the output of 'iptables -t raw -L'? Do you know what (other) patches from patch-o-matic(-ng) was applied in your kernel? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
