Catching un-DNAT'ed packets
Pascal Hambourg
pascal.mail at plouf.fr.eu.org
Tue Dec 26 12:09:32 CET 2006
Hello,
Pokotilenko Kostik a écrit :
>
> Is it possible to catch un-DNAT'ed packets with iptables' -j ULOG
> target?
I'm afraid no.
> Where does the un-DNAT occurs and is there table/chain that is
> processed after un-DNAT?
In 2.4 kernels, when DNAT occurs in the PREROUTING chain, un-DNAT occurs
at the same place as (and in place of) the POSTROUTING chain of the
'nat' table, and there is no chain after it. In 2.4 kernels >= 2.4.19,
when DNAT occurs in the OUTPUT chain, un-DNAT occurs after the INPUT
chain of the 'filter' table, and there is no chain after it either. I
suppose it has not changed in 2.6 kernels.
> The problem I have is that replay packets got catched with real source
> address, not the one the client has initially connected to. I was
> catching replay packets in mangle/POSTROUTING.
The POSTROUTING chain of the 'mangle' table is just before the un-DNAT
place.
More information about the netfilter
mailing list