Re: Why would certain packets not reach nat PREROUTING chain?

[Adam Rosi-Kessel <adam@rosi-kessel.org>]

On Thu, Nov 10, 2005 at 17:44:16 CET, Jozsef Kadlecsik wrote:

> > > Under what conditions would inbound packets not be routing through
> > > the nat PREROUTING chain?
> > That's a problem that puzzles me too.
> Packets which cannot be associated with any existing connection
> known by the conntrack subsystem will traverse the NAT table.
> If a packet is related to any connection, which can mean:
> - the packet belongs to a connection
> - it is an ICMP error packet about a connection
> - it is a packet of a channel (like FTP data), which can be
>   associated to a connection by an appropriate helper module
> then that packet won't enter the NAT table.

The packets in question:

  - do show up in tcpdump (so they're at least passing by the network card)
  - do show up if logged in the mangle PREROUTING table (so iptables at
    least knows about them)
  - are UDP port 500 packets -- so that rules out the latter two options
    above, right? They are not ICMP error packets, and they are not 
    packets recognized by a channel like FTP data. I have no conntrack
    module loaded other than the main one and the FTP one.
  - do not show up in /proc/net/ip_conntrack. There in fact are no
    inbound entries at all in /proc/net/ip_conntrack for the IP address of the
    remote server or for any traffic on port 500 at all.

Yet, they do not enter the nat PREROUTING table.

I even added a raw table and a NOTRACK destination to packets travelling
on port 500 to every chain in the raw table. Still, the packets do not
show up in nat PREROUTING.

Any suggestions for how to figure out why they're not getting to nat
PREROUTING?  Or are they perhaps being tracked in a way that I am not
noticing?
-- 
Adam Rosi-Kessel
http://adam.rosi-kessel.org