On 01/09/14 16:31, Kristian Evensen wrote:
Hi Chris,
On Thu, Jan 9, 2014 at 10:57 PM, Chris Frederick <cdf123@xxxxxxxxxx> wrote:
Any ideas would be helpful.
If I have understood things correctly, packets belonging to an
established connection does not hit any of the chains in the nat
table. If you want to mangle/filter/manipulate/... these packets, you
can use for example the POSTROUTING chain in the mangle table or in
rawpost. The latter requires xtables-addons as well as slight change
to compilation as rawpost was removed in a recent commit. See:
http://sourceforge.net/p/xtables-addons/xtables-addons/ci/9414a5df343bf30ba13e76dbd7181c55683b11cb/
-Kristian
When you say "established connection" are you talking TCP level established connection, or is this from contrack identifying the connection? I
guess what I'm asking is if doing a NOTRACK in raw would allow the packets through and still pass through nat/POSTROUTING?
I did see that they are hitting the POSTROUTING chain in the mangle table, but I can't SNAT from there. Does xtables-addons provide this? I'll
probably start looking there.
The Changelog from the sourceforge link mentions the code was removed because it was unmaintained. Is that the only reason, or was this a
policy decision to remove that functionality to make way for something different? I would just worry about the future if I patch the system now.
Thanks Kristian,
Chris Frederick
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
