From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: Steven Kath <steven.kath@vyatta.com>
Cc: Italo Valcy <italo@dcc.ufba.br>, netfilter@vger.kernel.org
Subject: Re: How to use DNAT
Date: Fri, 18 Feb 2011 00:41:26 +0100 [thread overview]
Message-ID: <4D5DB226.7050002@plouf.fr.eu.org> (raw)
In-Reply-To: <1507403965.4030.1297983445466.JavaMail.root@tahiti.vyatta.com>
Steven Kath a écrit :
> ----- "Italo Valcy" <italo@dcc.ufba.br> wrote: -----
>>
>> Well... so could be this: INVALID state... The packets are about a
>> netflow traffic (9996/UDP) comming to the firewall, which should be
>> redirected to a internal host (through the DNAT). How can I debug
>> these possible INVALID packets?
>
> iptables -I FORWARD -p udp -m udp --dport 9996 -m state --state INVALID -j LOG --log-prefix "INVALID-FWD: "
> iptables -I INPUT -p udp -m udp --dport 9996 -m state --state INVALID -j LOG --log-prefix "INVALID-IN: "
>
> This will allow you to see matching traffic through the filter
> table's FORWARD and INPUT chains with the invalid state in dmesg.
AFAIK, UDP packets cannot be INVALID.
> Also, bear in mind that the nat table is only consulted for
> packets with state NEW. If your UDP flow state transitions to
> ESTABLISHED before your NAT rule is created, the new rule will
> not be applied to that flow.
Actually it is even stricter : the nat rules are consulted only for the
first packet of a new flow ("connection"). The next packets skip the nat
rules even when the flow does not transition to ESTABLISHED (when there
is no packet in the reply direction).
> You'd need to clear that connection from the table with
> conntrack-tools, flush the entire table, or let the connection
> expire from the table for it to be considered NEW again and
> compared against the nat rules.
next prev parent reply other threads:[~2011-02-17 23:41 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <184364666.3998.1297982398411.JavaMail.root@tahiti.vyatta.com>
2011-02-17 22:57 ` How to use DNAT Steven Kath
2011-02-17 23:41 ` Pascal Hambourg [this message]
2011-02-18 12:50 ` Italo Valcy
2011-02-19 2:55 ` Atle Solbakken
2011-02-19 5:06 ` Pandu Poluan
2011-02-17 18:47 Italo Valcy
2011-02-17 19:03 ` Jan Engelhardt
2011-02-17 19:17 ` Italo Valcy
2011-02-17 20:05 ` Pascal Hambourg
2011-02-17 21:30 ` Italo Valcy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D5DB226.7050002@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=italo@dcc.ufba.br \
--cc=netfilter@vger.kernel.org \
--cc=steven.kath@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.