Steven Kath a écrit :
> ----- "Italo Valcy" <italo@xxxxxxxxxxx> wrote: -----
>>
>> Well... so could be this: INVALID state... The packets are about a
>> netflow traffic (9996/UDP) comming to the firewall, which should be
>> redirected to a internal host (through the DNAT). How can I debug
>> these possible INVALID packets?
>
> iptables -I FORWARD -p udp -m udp --dport 9996 -m state --state INVALID -j LOG --log-prefix "INVALID-FWD: "
> iptables -I INPUT -p udp -m udp --dport 9996 -m state --state INVALID -j LOG --log-prefix "INVALID-IN: "
>
> This will allow you to see matching traffic through the filter
> table's FORWARD and INPUT chains with the invalid state in dmesg.
AFAIK, UDP packets cannot be INVALID.
> Also, bear in mind that the nat table is only consulted for
> packets with state NEW. If your UDP flow state transitions to
> ESTABLISHED before your NAT rule is created, the new rule will
> not be applied to that flow.
Actually it is even stricter : the nat rules are consulted only for the
first packet of a new flow ("connection"). The next packets skip the nat
rules even when the flow does not transition to ESTABLISHED (when there
is no packet in the reply direction).
> You'd need to clear that connection from the table with
> conntrack-tools, flush the entire table, or let the connection
> expire from the table for it to be considered NEW again and
> compared against the nat rules.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
