From: Adam Rosi-Kessel <adam@rosi-kessel.org>
To: netfilter@lists.netfilter.org
Subject: Re: Why would certain packets not reach nat PREROUTING chain?
Date: Thu, 10 Nov 2005 08:45:17 -0500 [thread overview]
Message-ID: <20051110134516.GA2080@bostoncoop.net> (raw)
Sandro Dentella Wrote:
> > I'm troubeshooting an issue of accessing a VPN through NAT. Right now
> > the problem can be reduced to the following question:
> > Under what conditions would inbound packets not be routing through the
> > nat PREROUTING chain?
> That's a problem that puzzles me too. Do you have fancy routing tables?
> (several different tables setup w/ iproute2).
Nope. At least for the purposes of this experiment, this is the only
thing I'm trying to do. The entire task of iptables is SNATting outbound
packet from the LAN, and then attempting to DNAT inbound packets on udp
port 500 to a specific machine with the LAN. The outbound SNAT works
fine; but the inbound packets don't ever reach the nat PREROUTING chain.
> I also have a setup in which icmp packets will not get to PREROUTING.
> My understanding is that the kernel does not understand they are destined
> for that box: could that be your situation?
I don't think that's related, although I admit I don't have a thorough
understanding of the issue... why would icmp packets matter when the
issue is inbound UDP 500 packets that are showing up in tcpdump? Wouldn't
showing up in tcpdump indicate that the kernel understands the packet is
destined for that box?
--
Adam Rosi-Kessel
http://adam.rosi-kessel.org
next reply other threads:[~2005-11-10 13:45 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-10 13:45 Adam Rosi-Kessel [this message]
2005-11-10 14:50 ` Why would certain packets not reach nat PREROUTING chain? Sandro Dentella
[not found] <20051218055403.002CDA00EA@bostoncoop.net>
2005-12-18 13:16 ` Adam Rosi-Kessel
2005-12-19 15:39 ` Re[2]: " Marcin Krol
2005-12-19 15:40 ` Adam Rosi-Kessel
2006-01-25 1:16 ` Adam Rosi-Kessel
-- strict thread matches above, loose matches on Subject: below --
2005-11-10 13:13 Gabriel
2005-11-10 1:57 Adam Rosi-Kessel
2005-11-10 1:59 ` Adam Rosi-Kessel
2005-11-10 3:18 ` Alexander Samad
2005-11-10 3:27 ` Adam Rosi-Kessel
[not found] ` <3063e50511100055m41abd50hc3af78a67896db7d@mail.gmail.com>
2005-11-10 12:44 ` Adam Rosi-Kessel
2005-11-10 10:15 ` Sandro Dentella
2005-11-10 16:44 ` Jozsef Kadlecsik
2005-11-14 14:53 ` Adam Rosi-Kessel
2005-11-14 15:03 ` Jozsef Kadlecsik
2005-11-14 15:09 ` Adam Rosi-Kessel
2005-11-15 9:07 ` Jozsef Kadlecsik
2005-11-15 13:43 ` Adam Rosi-Kessel
2005-11-15 14:00 ` Jozsef Kadlecsik
2005-11-15 23:53 ` Adam Rosi-Kessel
2005-11-15 23:57 ` Adam Rosi-Kessel
2005-11-16 0:02 ` Adam Rosi-Kessel
2005-11-16 9:42 ` Jozsef Kadlecsik
2005-11-18 1:52 ` Adam Rosi-Kessel
2005-11-18 11:07 ` Jozsef Kadlecsik
2005-11-19 3:46 ` Adam Rosi-Kessel
2005-11-19 20:34 ` Jozsef Kadlecsik
2005-11-20 17:20 ` Adam Rosi-Kessel
2005-11-24 11:00 ` Jozsef Kadlecsik
2005-11-24 13:36 ` Adam Rosi-Kessel
2005-12-17 22:59 ` Adam Rosi-Kessel
2005-12-18 6:42 ` Leonardo Rodrigues Magalhães
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051110134516.GA2080@bostoncoop.net \
--to=adam@rosi-kessel.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.