----- "Italo Valcy" <italo@xxxxxxxxxxx> wrote: ----- > > Please provide some details about the rule, packets... > > Note that iptables' NAT ignores packets in the INVALID state. > > Well... so could be this: INVALID state... The packets are about a > netflow traffic (9996/UDP) comming to the firewall, which should be > redirected to a internal host (through the DNAT). How can I debug > these possible INVALID packets? iptables -I FORWARD -p udp -m udp --dport 9996 -m state --state INVALID -j LOG --log-prefix "INVALID-FWD: " iptables -I INPUT -p udp -m udp --dport 9996 -m state --state INVALID -j LOG --log-prefix "INVALID-IN: " This will allow you to see matching traffic through the filter table's FORWARD and INPUT chains with the invalid state in dmesg. Also, bear in mind that the nat table is only consulted for packets with state NEW. If your UDP flow state transitions to ESTABLISHED before your NAT rule is created, the new rule will not be applied to that flow. You'd need to clear that connection from the table with conntrack-tools, flush the entire table, or let the connection expire from the table for it to be considered NEW again and compared against the nat rules. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html