Hello,
Fabio Muzzi a écrit :
I am running a firewall with Debian Linux (kernel 2.6.15) and am I am
expriencing a strange behavior in a simple SNAT rule.
[...]
Running a simple "ethereal -i eth2 'not host 217.221.234.74'" I can see
that sometimes some packets go through WAN interface without being SNATed
by netfilter.
Maybe these packets are considered in the INVALID state by the Netfilter
connection tracking. Packets in the INVALID state bypass the stateful
NAT processing. You may add a rule to log INVALID packets and compare
them with the tcpdump output :
iptables -I FORWARD -o eth2 -m state --state INVALID \
-j LOG --log-prefix "FWD_INV "
Anyway there is no chance that another NAT rule may cause this, as
packets belonging or related to an established connection don't go
through the nat chains.
Note :
This may be related to the thread "Dropped fin acks (iptables + lvs)"
above, as in both cases most affected packets seem to be FIN/ACK and
RST/ACK.
