On Jun 5 2007 19:10, Craig Bernstein wrote: > On 5/22/07, Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> wrote: >> iptables -t nat -N yes_do_me_1 >> iptables -t nat -A yes_do_me_1 -j LOG ... >> iptables -t nat -A yes_do_me_1 -j SNAT ... >> >> iptables -t nat -s 134.76.0.0/16 -d whatever -p tcp -j yes_do_me_1 >> >> Or you could use `conntrack -E`... or conntrack -L for a momentary >> state. > > Jan, thank you for your suggestion, but setting it up that way gives > me the same results as before. The log entry looks like this: > > IN= OUT=eth0 SRC=10.1.2.3 DST=209.85.139.147 LEN=48 TOS=0x00 PREC=0x00 > TTL=125 ID=52743 DF PROTO=TCP SPT=1535 DPT=80 WINDOW=16384 RES=0x00 > SYN URGP=0 > > "SRC" is the inside client address. "DST" is the outside server > address. I still need to log the outside address the client is SNATed > to, i.e. the public Internet address the server will see. iptables -t nat -N ydm1 iptables -t nat -A ydm1 -j LOG "[Adress got SNATed to 134.76.13.21] " iptables -t nat -A ydm1 -j SNAT --to 134.76.13.21 iptables -t nat -A POSTROUTING <-d condition -m condition or whatever> -j ydm1 It already was a complete example. When you SNAT, you know you do. > Petr recommended the conntrack tool, which may work but will require > upgrading a box that is currently running Debian Sarge. Is that my > only option? Teardown logging: yes. Setup: See above and/or conntrack. Jan --