On 5/22/07, Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> wrote:
iptables -t nat -N yes_do_me_1 iptables -t nat -A yes_do_me_1 -j LOG ... iptables -t nat -A yes_do_me_1 -j SNAT ... iptables -t nat -s 134.76.0.0/16 -d whatever -p tcp -j yes_do_me_1 Or you could use `conntrack -E`... or conntrack -L for a momentary state.
Jan, thank you for your suggestion, but setting it up that way gives me the same results as before. The log entry looks like this: IN= OUT=eth0 SRC=10.1.2.3 DST=209.85.139.147 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=52743 DF PROTO=TCP SPT=1535 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 "SRC" is the inside client address. "DST" is the outside server address. I still need to log the outside address the client is SNATed to, i.e. the public Internet address the server will see. `cat /proc/net/ip_conntrack` will give me the momentary state, but I want each connection syslogged at set-up and/or tear-down. Petr recommended the conntrack tool, which may work but will require upgrading a box that is currently running Debian Sarge. Is that my only option? Thanks, Craig
