Why would certain packets not reach nat PREROUTING chain?

Adam Rosi-Kessel adam at rosi-kessel.org
Thu Nov 10 02:57:45 CET 2005


I'm troubeshooting an issue of accessing a VPN through NAT. Right now the
problem can be reduced to the following question:

Under what conditions would inbound packets not be routing through the nat
PREROUTING chain?

These packets are arriving on inbound UDP port 500. They show up with
tcpdump, but when I add a log rule, e.g.

iptables -t nat -I PREROUTING -p udp -j LOG

The packets are not logged.  (They are also not DNAT'd to the proper
internal host, but that makes sense if they're not reaching the PREROUTING
chain at all).

I have nothing in the mangle table.

I am not running any IPSec services on the NAT box.

There is nothing between the NAT box and the Internet.

Most of the iptables tutorials warn against filtering in nat PREROUTING,
because "it will be bypassed in certain cases."  But what cases are those?

The iptables LOG targets are working generally--traffic coming from the
internal client to the NAT box and then the NAT box to the external VPN
server are all logged.  The only thing that is not being logged--and
presumably not arriving at the nat PREROUTING chain--are the inbound
packets.  Yet they are definitely arriving, as tcpdump -i eth0 indicates.

Any suggestions?
-- 
Adam Rosi-Kessel
http://adam.rosi-kessel.org



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : /pipermail/netfilter/attachments/20051110/882dc4dc/signature.pgp


More information about the netfilter mailing list