Hello, Just noticed few packets which pass SNAT in POSTROUTING without altering their SRC. The problem has been obscured by the fact, that all works in general, no one complain. After I add REJECT rule for "-m state --state INVALID" connections, unmodified (not NATed) packets have disappeared. All right now. Why INVALID connections pass thru NAT instead of dropping them? It seems like a security risk, when hacker can listen not-NATed packets behind the router and learn a network topology. -- С уважением, Igor Bogomazov
Attachment:
signature.asc
Description: PGP signature
