Re: Rules PREROUTING doesn't work

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Robert Nichols <rnicholsNOSPAM@comcast.net>
To: netfilter@vger.kernel.org
Subject: Re: Rules PREROUTING doesn't work
Date: Wed, 17 Mar 2010 19:20:29 -0500	[thread overview]
Message-ID: <hnrrke$d0$1@dough.gmane.org> (raw)
In-Reply-To: <56378e321003171325n18f4ca91x358acadc0568643c@mail.gmail.com>

On 03/17/2010 03:25 PM, Richard Horton wrote:
> On 17 March 2010 15:20, Angel Motta<angelmotta@gmail.com>  wrote:
>
>> When I apply this rule i did iptable-save and I see that NAT and I
>> also see my rule with itpables -t nat -L, but the clients vpn still
>> are conected to the Firewall with that public IP.
>
> Existing connections prior to the rule being inserted will not be
> moved until they reestablish a new connection.
>
> You can turn tracing on (iptables -t raw -A PREROUTING -j trace) and
> see if the rule is being met or not.
>
> By the sound of it something isn't matching so you might want to try
> inserting a rule to log traffic - just use the same match criteria but
> use the log target rather than DNAT - if you see no log entries then
> the rule for some reason isn't quite right...

And, I just noticed that the protocol is UDP.  The only way a UDP
entry gets removed from conntrack is by timing out, and that can take
up to 3 minutes (see the values in
/proc/sys/net/netfilter/nf_conntrack_udp_timeout*).

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

next prev parent reply	other threads:[~2010-03-18  0:20 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-17  3:27 Rules PREROUTING doesn't work Angel Motta
2010-03-17  6:21 ` Michele Petrazzo - Unipex
2010-03-17 13:14 ` Robert Nichols
2010-03-17 13:20   ` Jan Engelhardt
2010-03-17 15:20     ` Angel Motta
2010-03-17 20:25       ` Richard Horton
2010-03-18  0:20         ` Robert Nichols [this message]
2010-03-18  1:14           ` Jan Engelhardt
2010-03-18  4:48             ` Robert Nichols
2010-03-18  5:53               ` Angel Motta
2010-03-18 11:15                 ` Mart Frauenlob
2010-03-18 15:36                   ` Angel Motta
     [not found]                     ` <1268931387.3763.31.camel@casper.meteor.dp.ua>
2010-03-19  5:11                       ` Angel Motta
2010-03-19  8:01                         ` Mart Frauenlob

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='hnrrke$d0$1@dough.gmane.org' \
    --to=rnicholsnospam@comcast.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.