[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: Packages which should be DNATed are dropped incidentally
From: Bram Metsch <metsch () ins ! uni-bonn ! de>
Date: 2008-08-25 7:13:04
Message-ID: 20080825091304.777d6e4e.metsch () ins ! uni-bonn ! de
[Download RAW message or body]
On Fri, 22 Aug 2008 10:05:09 -0400 (EDT)
Jan Engelhardt <jengelh@medozas.de> wrote:
> [..]
>
> Try adding iptables -t nat -A PREROUTING -j LOG --log-prefix "[this did not get \
> nated]" and compare with the DROP IN=... line when they appear together.
> >
> [..
Hi,
I have now added three logging rules: The first one -as you suggessted- as last
rule of the PREROUTING chain and two additional logging rules quite at the beginning \
of the INPUT chain:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
380K 57M accounting_in all -- * * 0.0.0.0/0 0.0.0.0/0
380K 57M blacklist_src all -- * * 0.0.0.0/0 0.0.0.0/0
820 53788 LOG tcp -- external * 0.0.0.0/0 <external \
mailserver IP> LOG flags 0 level 4 prefix `[not nated]' 256K 41M ACCEPT \
all -- * * 0.0.0.0/0 0.0.0.0/0 state \
RELATED,ESTABLISHED 820 53788 LOG tcp -- external * 0.0.0.0/0 \
<external mailserver IP> LOG flags 0 level 4 prefix `[not nated nor \
established]'
Now I can confirm that the packets in question are indeed caught by the INPUT chain, \
i.e. they show up in both logging rules in this chain. However, they do not show up \
in the logging rule inside the PREROUTING chain, so I assume they do not even pass \
this chain?
Best regards,
Bram.
[Attachment #3 (application/pgp-signature)]
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic