FW: Packets missing the NAT table

FW: Packets missing the NAT table

[Steve (Telsat Broadband)]

Hi All,

I’m just trying to debug an issue on our network and I’ve noticed that some
packets are being missed from some rules in the NAT table.  

Do all packets go through the NAT table or is there some exclusion?  I’m
seeing the packet hitting the mangle table as well as the filter table, but
not the NAT?

Thanks
Steve.

Re: FW: Packets missing the NAT table

[Jan Engelhardt]

On Sunday 2013-01-06 17:08, Steve (Telsat Broadband) wrote:

>Hi All,
>
>I?m just trying to debug an issue on our network and I?ve noticed that some
>packets are being missed from some rules in the NAT table.  
>
>Do all packets go through the NAT table or is there some exclusion?  I?m
>seeing the packet hitting the mangle table as well as the filter table, but
>not the NAT?

The nat table is a configuration database of sorts that is only 
consulted when necessary.

RE: FW: Packets missing the NAT table

[Steve (Telsat Broadband)]

Hi Jan,

Thanks for the quick reply.

That make sense; however now I just need to find a way to modify my rules to account for that :)

Thanks.
Steve.




-----Original Message-----
From: Jan Engelhardt [mailto:jengelh@inai.de] 
Sent: Monday, 7 January 2013 3:55 AM
To: Steve (Telsat Broadband)
Cc: netfilter@vger.kernel.org
Subject: Re: FW: Packets missing the NAT table

On Sunday 2013-01-06 17:08, Steve (Telsat Broadband) wrote:

>Hi All,
>
>I?m just trying to debug an issue on our network and I?ve noticed that 
>some packets are being missed from some rules in the NAT table.
>
>Do all packets go through the NAT table or is there some exclusion?  
>I?m seeing the packet hitting the mangle table as well as the filter 
>table, but not the NAT?

The nat table is a configuration database of sorts that is only consulted when necessary.

Re: FW: Packets missing the NAT table

[Born Without]

On 06.01.2013 17:08, Steve (Telsat Broadband) wrote:
> Hi All,
>
> I’m just trying to debug an issue on our network and I’ve noticed that some
> packets are being missed from some rules in the NAT table.
>
> Do all packets go through the NAT table or is there some exclusion?  I’m
> seeing the packet hitting the mangle table as well as the filter table, but
> not the NAT?

What I've read in the past, the nat table is only consulted at 
connection initiation for conntrack state NEW packets.
If conntrack qualifies a packet as INVALID this won't get natted and 
sent out as is (if not dropped from another rule).
Try to catch the invalid packets with:
-m conntrack --ctstate INVALID
and see if these are the suspected ones.