LOG natted packet.

LOG natted packet.

[federico.disante]

Hi,

I'm the admin of a linux based router/firewall, that protects a LAN.

I would like to log the path follwed by a response packet of a
source-natted connection.

In the interfarce (eth1) connected to the ADSL modem, connected to
internet, the box does source nat, with the following rule

iptables -t nat -I POSTROUTING 1 -o eth1 -j SNAT --to-source 192.168.1.128

To log the packets back flow from the internet (from the host whose ip is
4.5.6.7) to the LAN, I write the following rules:

iptables -t mangle -I PREROUTING 1 -p tcp -s 4.5.6.7 -j LOG --log-prefix
"Packet_back_in_pre_mangle"

iptables -t nat -I PREROUTING 1 -p tcp -s 4.5.6.7 -j LOG --log-prefix
"Packet_back_in_pre_nat"
         
iptables -t mangle -I FORWARD 1 -p tcp -s 4.5.6.7 -j LOG --log-prefix
"Packet_back_in_forw_mangle"

The problem I have is that the LOG in the PREROUTING chain does not output
nothing. From the syslog I get the following

May 14 17:14:25 LinuxBasedFirewall kernel: [3651139.713796]
Packet_back_in_pre_mangle IN=eth1 OUT=
MAC=00:e0:18:b1:16:82:00:60:3b:29:f1:3f:08:00 SRC=4.5.6.7 DST=192.168.1.128
LEN=44 TOS=0x00 PREC=0x00 TTL=54 ID=0 DF PROTO=TCP SPT=443 DPT=1263
WINDOW=14600 RES=0x00 ACK SYN URGP=0

May 14 17:14:25 LinuxBasedFirewall kernel: [3651139.713892]
Packet_back_in_forw_mangle IN=eth1 OUT=eth1 SRC=4.5.6.7 DST=192.168.10.192
LEN=44 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=TCP SPT=443 DPT=1263
WINDOW=14600 RES=0x00 ACK SYN URGP=0 MARK=0x1e

The log clearly show the back translation of the source natted packet
(from the natted ip 192.168.1.128 to the original source ip
192.168.10.192).

My question is: why I do not get the log from the nat table in the
PREROUTING chain? It seems the packet disappears in the nat table in the
PREROUTING chain and reappears in the mangle table in the FORWARD chain!
Any suggestions?

Thank you,
Federico

Re: LOG natted packet.

[Pascal Hambourg]

Hello,

federico.disante a écrit :
> 
> My question is: why I do not get the log from the nat table in the
> PREROUTING chain?

Quote from iptables' manpage :

========
nat:
     This table is consulted when a packet  that  creates  a  new
     connection  is encountered.
========

Obviously, a reply packet does not create a new connection.

Re: LOG natted packet.

[Federico Di Sante]

Thank you Pascal.

2013/5/15 Federico Di Sante <federico.disante@duet.it>:
> Thank you Pascal.
>
> Federico
>
>
>
> 2013/5/15 Pascal Hambourg <pascal@plouf.fr.eu.org>
>>
>> Hello,
>>
>> federico.disante a écrit :
>> >
>> > My question is: why I do not get the log from the nat table in the
>> > PREROUTING chain?
>>
>> Quote from iptables' manpage :
>>
>> ========
>> nat:
>>      This table is consulted when a packet  that  creates  a  new
>>      connection  is encountered.
>> ========
>>
>> Obviously, a reply packet does not create a new connection.
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>


2013/5/15 Federico Di Sante <federico.disante@duet.it>:
> Thank you Pascal.
>
> Federico
>
>
>
> 2013/5/15 Pascal Hambourg <pascal@plouf.fr.eu.org>
>>
>> Hello,
>>
>> federico.disante a écrit :
>> >
>> > My question is: why I do not get the log from the nat table in the
>> > PREROUTING chain?
>>
>> Quote from iptables' manpage :
>>
>> ========
>> nat:
>>      This table is consulted when a packet  that  creates  a  new
>>      connection  is encountered.
>> ========
>>
>> Obviously, a reply packet does not create a new connection.
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>