Re: intermittent nat issue

[Mark Coetser <mark@xxxxxxxxxxxx>]

Hi Llorente

I did run conntrack -F to check that but still had the unnatted packets 
traversing the interface.

--
Thank you,

Mark Adrian Coetser
mark@xxxxxxxxxxxx

"The New York Times is read by the people who run the country.  The
Washington Post is read by the people who think they run the country. The
National Enquirer is read by the people who think Elvis is alive and running
the country ..."
		-- Robert J Woodhead


On 20/01/2017 09:21, Llorente Santos Jesus wrote:
> Hi Mark,
>
> Did you flush the conntrack? Perhaps what you are seeing are some already established connections prior to setting the rule in iptables?
> Try with "conntrack -D" to remove the connections.
>
> Best,
> Jesus
>
> -----Original Message-----
> From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Mark Coetser
> Sent: 20 January 2017 08:25
> To: netfilter@xxxxxxxxxxxxxxx
> Subject: intermittent nat issue
>
> Hi All
>
> kernel 3.16.0-4-686-pae
> iptables 1.4.21-2+b1
>
> I have a few different firewalls that are exhibiting the same issue
>
> basic rule iptables -t nat -I POSTROUTING -o $external_iface -j MASQUERADE
>
> when running tcpdump on $external_iface I am seeing SOME packets from the private_network not being masqueraded/natted.
>
> --
> Thank you,
>
> Mark Adrian Coetser
> mark@xxxxxxxxxxxx
>
> "Help save the world!"              -- Larry Wall in README
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  http://vger.kernel.org/majordomo-info.html
> ���{.n�+�������+%�����ݶ��w��{.n�+���z��׫�)���w*jg��������ݢj����G���������j:+v���w�j�m��������w�����f���h������٥
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html