Jordan Russell wrote: > BTW: does the LOG output indicate that netfilter translated the source > address of 70.243.226.250 to 192.168.0.133? If so, shouldn't it have > instead translated the *destination* address of 123.23.23.23 (=eth1) to > 192.168.0.133? Could this be why the ICMP packet was generated in the > first place? To clarify my question: If tcpdump on eth1 reports: 70.243.226.250.1703 > 123.23.23.23.25000 while my LOG rule reports for the same packet: ... [SRC=192.168.0.133 DST=123.23.23.23 ... SPT=25000 DPT=25000 isn't this saying that netfilter translated the *source* address of the packet? Since port 25000 is covered by a DNAT rule: -A PREROUTING -i eth1 -p tcp -m tcp --dport 25000 -j DNAT --to-destination 192.168.0.133 shouldn't it have set the *destination* address of the packet to 192.168.0.133, while leaving the source address unchanged? So: It appears as though netfilter is (in rare cases) translating the source address of packets when it should be translating the destination address. Or am I misinterpreting the log output? -- Jordan Russell
