Tangent to: portfw on iptables 2.4 kernel problem.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joel Newkirk <netfilter@newkirk.us>
To: netfilter@lists.netfilter.org
Subject: Tangent to: portfw on iptables 2.4 kernel problem.
Date: Wed, 11 Dec 2002 03:15:46 -0500	[thread overview]
Message-ID: <200212110315.46400.netfilter@newkirk.us> (raw)
In-Reply-To: <96C102324EF9D411A49500306E06C8D1021AE36D@eketsv02.cubis.de>

In researching a rather long reply directly to Louie Miranda on this, 
(with no answers, just many debugging suggestions)  I enabled full 
logging of all packets, with a DNAT from my firewall's external IP to a 
LAN IP, then telnetted to that IP from the firewall machine.  iptables 
v1.2.5, RedHat 7.3 'stock' kernel.

The resulting logs surprised me.

The initial packet followed this route through the firewall chains:

mangle-OUTPUT
nat-OUTPUT
filter-OUTPUT
mangle-POSTROUTING
nat-POSTROUTING
out on lo and back
mangle-PREROUTING
mangle-INPUT
filter-INPUT

skipping nat-PREROUTING.

Subsequent packets in the connection (successful telnet to myself :^) 
skipped ALL nat table rules.

Does netfilter normally skip NAT chains entirely when lo is involved?  I 
would have expected at least the initial packet to hit every chain.  
(well, not FORWARD since the DNAT never took place...)

j

     prev parent reply	other threads:[~2002-12-11  8:15 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-12-11  7:32 portfw on iptables 2.4 kernel problem Reckhard, Tobias
2002-12-11  8:05 ` Joel Newkirk
2002-12-11  8:18   ` portfw on iptables 2.4 kernel problem. (oops!) Joel Newkirk
2002-12-11  8:15 ` Joel Newkirk [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200212110315.46400.netfilter@newkirk.us \
    --to=netfilter@newkirk.us \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.