Apparently flakey behavior with DNAT, SNAT, and masquerading
Ramin Alidousti
ramin@UU.NET
Thu, 14 Jun 2001 12:51:00 -0400
On Thu, Jun 14, 2001 at 11:59:17AM -0500, Greg Scott wrote:
> I see your point on the allowed chain. I should
> just get rid of the allowed chain and change everything
> everywhere that refers to that to just -j ACCEPT.
>
> On the SNAT rules, don't I need to translate anything
> outbound destined for my internal IP addresses back to
> the proper public IP addresses?
>
> > The conntrack of the DNAT takes careof the outgoing
> > packets itself.
>
> What is a conntrack?
http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html
> Also, is there a writeup someplace on how to install and
> use tcpdump?
www.tcpdump.org
Ramin
>
> thanks
>
> - Greg