Marcin Krol wrote: > Hello Adam, > Look at point 6.3 here: > http://iptables-tutorial.frozentux.net/iptables-tutorial.html > There was smth in the tutorial about only the first packet from NEW > connection hitting the chains and the rest of them being handled by > conntrack, although can't remember where exactly this was located in > tutorial. > This would explain the UDP traffic being handled in its entirety > since UDP is connectionless and conntrack. Hi Marcin: I'm not exactly sure what you mean by the last sentence--did you leave off a word or two? I think what you're saying is that the subsequent packets aren't showing up in nat PREROUTING because they're being tracked. This makes sense--once a connection is tracked or ASSURED the packets don't go through nat PREROUTING anymore. And the connection in question *is* being tracked -- it shows up in /proc/net/ip_conntrack as ASSURED. Even though the connection is tracked, the traffic *doesn't* show up when watching the inward facing network card with ethereal or tcpdump. With other tracked connections (for example, an ssh or http connection) I see all traffic with tcpdump: coming from internal client to nat box, nat box to external server, then back from external server to nat box, and from nat box to internal client. With this connection, however, I see 3 out of 4 with tcpdump -- the traffic comes back into the nat box from the outside, is apparently properly tracked according to /proc/net/ip_conntrack, but it never leaves again on the internal facing network card. -- Adam Rosi-Kessel http://adam.rosi-kessel.org
Attachment:
signature.asc
Description: OpenPGP digital signature
