Hi, I have DNAT set up for a few ports on a fedora14 box with shorewall-4.4.11.1 for bittorrent traffic, and I'm still seeing quite a bit of traffic that I think should be translated but is not. I had initially posted this on the shorewall list, but it seems more appropriate here. How can I analyize this traffic to determine if it should be forwarded on to its intended internal recipient, or if it is completely unrelated traffic that should continue to be blocked? I have a firewall with two interfaces connected to the Internet via a cable modem. The destination ports are unknown to me; I'm using a different port for the bittorrent dnat traffic. Here are a few sample log entries for traffic I think should be translated: [2373602.833434] Shorewall:ext2fw:REJECT:IN=eth0 OUT= MAC=40:61:86:4e:84:09:00:21:a0:75:e3:12:08:00 SRC=221.192.199.46 DST=68.XXX.YYY.44 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=256 DF PROTO=TCP SPT=12200 DPT=27977 WINDOW=8192 RES=0x00 SYN URGP=0 [2373626.966318] Shorewall:ext2fw:REJECT:IN=eth0 OUT= MAC=40:61:86:4e:84:09:00:21:a0:75:e3:12:08:00 SRC=123.30.133.59 DST=68.XXX.YYY.44 LEN=40 TOS=0x00 PREC=0x00 TTL=99 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 The .44 address is the address of the external interface to the Internet on the firewall. Other log entries have similar ports, but there is also quite a range of destination ports, and I'm not able to correlate any of them to the output of "netstat -tnap" on the host that is dnat'd. Can you recommend options for tcpdump that might be used to trace the traffic and see if it's traversing the firewall, or if the traffic contains packets associated with that host and bittorrent? Thanks, Alex -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
