On Fri, 22 Aug 2008 10:05:09 -0400 (EDT) Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: > [..] > > Try adding iptables -t nat -A PREROUTING -j LOG --log-prefix "[this did not get nated]" > and compare with the DROP IN=... line when they appear together. > > > [.. Hi, I have now added three logging rules: The first one -as you suggessted- as last rule of the PREROUTING chain and two additional logging rules quite at the beginning of the INPUT chain: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 380K 57M accounting_in all -- * * 0.0.0.0/0 0.0.0.0/0 380K 57M blacklist_src all -- * * 0.0.0.0/0 0.0.0.0/0 820 53788 LOG tcp -- external * 0.0.0.0/0 <external mailserver IP> LOG flags 0 level 4 prefix `[not nated]' 256K 41M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 820 53788 LOG tcp -- external * 0.0.0.0/0 <external mailserver IP> LOG flags 0 level 4 prefix `[not nated nor established]' Now I can confirm that the packets in question are indeed caught by the INPUT chain, i.e. they show up in both logging rules in this chain. However, they do not show up in the logging rule inside the PREROUTING chain, so I assume they do not even pass this chain? Best regards, Bram.
Attachment:
pgpThpp7NUaUe.pgp
Description: PGP signature
