Why would certain packets not reach nat PREROUTING chain?

Adam Rosi-Kessel adam at rosi-kessel.org
Wed Nov 16 00:57:45 CET 2005


On Tue, Nov 15, 2005 at 06:53:19PM -0500, Adam Rosi-Kessel wrote:
> > > So, setting aside the question of why I wasn't seeing that before, shouldn't
> > > I be able to see the incoming packets as they are routed to the internal
> > > client machine, even if they are tracked connections?  When I watch the
> > > inward-facing interface with tcpdump, I don't see any of these packets
> > > getting routed to that machine, although I do see the outbound packets.
> > I don't clearly understand you here. It is always best to run tcpdump on
> > both interfaces so that one can compare what packets are routed properly
> > and how they were mangled/NAT-ed by the firewall. If some packets are
> > missing from either side then that's a clear sign that those packets were
> > dropped by either a matching rule/policy or by the system itself.
> > Did the logging produce anything?

I should probably also mention that the NAT box has two external IP
addresses, both on eth0 (eth0 and eth0:1), although I don't think this
should affect anything, maybe there's something I don't know. All
outbound traffic from the LAN is SNAT'ed to the eth0:1 external IP
address, and the VPN traffic I'm seeing is coming back into that same IP
address.
-- 
Adam Rosi-Kessel
http://adam.rosi-kessel.org



More information about the netfilter mailing list