On 06.01.2013 17:08, Steve (Telsat Broadband) wrote:
Hi All, I’m just trying to debug an issue on our network and I’ve noticed that some packets are being missed from some rules in the NAT table. Do all packets go through the NAT table or is there some exclusion? I’m seeing the packet hitting the mangle table as well as the filter table, but not the NAT?
What I've read in the past, the nat table is only consulted at connection initiation for conntrack state NEW packets. If conntrack qualifies a packet as INVALID this won't get natted and sent out as is (if not dropped from another rule).
Try to catch the invalid packets with: -m conntrack --ctstate INVALID and see if these are the suspected ones. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
