-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Pascal, Em 17-02-2011 17:05, Pascal Hambourg escreveu: > > Target ? Do you mean the original destination address ? Yes, that's it! ;) > As long as incoming packets reach the interface, it does not matter how. Yes, it just have to know how to reach the interface. Beacause of this either I have to use the original destination address as a secondary address of my firewall (machine running iptables) or start answer the arp request for that IP. Right now, I'm using the secondary IP address approach. > > Please provide some details about the rule, packets... > Note that iptables' NAT ignores packets in the INVALID state. Well... so could be this: INVALID state... The packets are about a netflow traffic (9996/UDP) comming to the firewall, which should be redirected to a internal host (through the DNAT). How can I debug these possible INVALID packets? Thanks! - -- Saudações, Italo Valcy :: http://wiki.dcc.ufba.br/~ItaloValcy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1dk4oACgkQfidLqjN6RNG2tACglYQeFkqjl2HMXpzzLh0tJ3bY aWwAoJj6t8t3v8q9vU14kO3m7dof0O5s =ORCq -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
