Alec Matusis a écrit : >> I would have used DNAT instead to make sure >> the destination address is not changed. > > Instead of REDIRECT, we used: > -A PREROUTING -d server.ip -p tcp --dport 443 -j DNAT --to-destination > server.ip:5228 > The result is exactly the same. Do you mean that REDIRECT did not alter the destination address when it was different from the primary address on eth0 ? >> What are the other 5% then ? > > They are mostly RST packets from various clients: Sure, RSTs are sent in reply to the bogus packets from the servers. >> They are probably packets classified in the INVALID state by the >> connection tracking, which are ignored by the nat table. In a NAT >> setup, >> INVALID packets should be dropped because of this. Now the real >> question >> is : why are they classified in the INVALID state ? > > How can I verify that these packets have been classified as in the INVALID > state? That may be the key to this problem. As I suggested, DROP packets in the INVALID state. If you don't see them any more, you'll know. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
