> > > I have setup a Linux firewall on the edge of the network and doing > SNAT for > > > internal IPs. When I sniff on external interface for internal > source IPs,I > > > am seeing FIN packets from internal IPs going out without being > NAT-ed. > > > > These packets are probably classified in the INVALID state by the > > connection tracking. Such packets are ignored by the NAT. A reason > may > > be that they belong to old connections the connection tracking has > > forgotten about or considers already closed. > > > > Does your rulest DROP outgoing packets in the INVALID state ? > > Maybe it's the same thing just with DNAT at your end. We don't drop any outgoing packets. I'll have to look for that thread and see how that might impact it. My understanding is that any packets that aren't matched in conntrack are sent through the NAT chain and if there are no match then it must be local, therefore input chain, otherwise forward chain. Therefore they should always go through forward if they are either in conntrack with a NAT destination or just processed by NAT and matched with a destination. LOGIC: 1) Conntrack with nat, yes, forward, otherwise input 2) No conntrack, check nat, if nat, add conntrack, then forward, otherwise input Either case should result in a forward. Can any of the dev's confirm this logic: -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
