(sorry for top posting; Gmail mobile java client sucks) No, it should be port 68 (got my web access, I can now verify the number). We want all packets *outgoing* of the box *destined* for port 68 (DHCP server's listening port) to bypass NAT. Rgds, On 2011-08-21, Vinicius Massuchetto <viniciusmassuchetto@xxxxxxxxx> wrote: > 2011/8/21 Pandu Poluan <pandu@xxxxxxxxxxx>: >> Just a hunch; do this: >> >> iptables -t nat -I POSTROUTING -p udp --dport $DHCP_SRV_PORT -j ACCEPT >> >> (sorry, for some unknown reason, I can't open any web site; >> $DHCP_SRV_PORT should be 67 or 68, I forgot which) > > According to the logs, the requests come in port 67. > >> In effect, the above rule causes DHCP packets going to the DHCP server >> to bypass the MASQUERADE target. > > Running this after the script has no effect in this behavior. > iptables -t nat -I POSTROUTING -p udp --dport 67 -j ACCEPT > > Thanks for the tip. > -- > Vinicius Massuchetto > -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
