Hi, Hope the question isn’t too basic to be asked here. I have an IPSec tunnel set up between my machine and a server. All packets originate from my machine go through that tunnel and then get forwarded by the server. I’m trying to redirect DNS request from my machine to 8.8.8.8 to a dns forwarder running on the server. I tried this on the server iptables -t nat -I PREROUTING -s $IPSEC_VIRTUAL_IP -d 8.8.8.8 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1 But it didn't work. To make sure it wasn't because I hadn't allowed martian packets or anything. I tried to trace the decrypted packets. iptables -t raw -I PREROUTING -s $IPSEC_VIRTUAL_IP -d 8.8.8.8 -p udp --dport 53 -j TRACE But after dig @8.8.8.8 google.com on my machine, running grep 'TRACE:' /var/log/kern.log on the server returned nothing. According to this picture: https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg after decrypting the ipsec packets, netfilter will make the decrypted packets go through the ip stack again, and the trace target should be able to catch it. I wonder if my mental model is incorrect or I missed something? Regards, Glen-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
