Hello, Pokotilenko Kostik a écrit :
Is it possible to catch un-DNAT'ed packets with iptables' -j ULOG target?
I'm afraid no.
Where does the un-DNAT occurs and is there table/chain that is processed after un-DNAT?
In 2.4 kernels, when DNAT occurs in the PREROUTING chain, un-DNAT occurs at the same place as (and in place of) the POSTROUTING chain of the 'nat' table, and there is no chain after it. In 2.4 kernels >= 2.4.19, when DNAT occurs in the OUTPUT chain, un-DNAT occurs after the INPUT chain of the 'filter' table, and there is no chain after it either. I suppose it has not changed in 2.6 kernels.
The problem I have is that replay packets got catched with real source address, not the one the client has initially connected to. I was catching replay packets in mangle/POSTROUTING.
The POSTROUTING chain of the 'mangle' table is just before the un-DNAT place.
