* Re: SNAT of ICMP fragmentation-nee [not found] <Pine.LNX.4.44.0206101340570.30649-100000@albert.ha-vel.cz> @ 2002-06-10 12:18 ` Antony Stone 2002-06-10 14:52 ` Ramin Alidousti 2002-06-10 16:06 ` Jack Bowling 0 siblings, 2 replies; 6+ messages in thread From: Antony Stone @ 2002-06-10 12:18 UTC (permalink / raw) To: netfilter On Monday 10 June 2002 12:45 pm, jakub@angel.cz wrote: > :) this is really not the problem, now I am logging all packets, no adress > > specification ;) > > -A POSTROUTING -p icmp -m icmp --icmp-type 3/4 -j LOG --log-prefix "icmp > SNAT POST " Hmmm. Okay - this is beyond my understanding of netfilter - can anyone else suggest why icmp packets going through the machine would get logged and processed by PREROUTING and FORWARD but not by POSTROUTING ? Antony. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT of ICMP fragmentation-nee 2002-06-10 12:18 ` SNAT of ICMP fragmentation-nee Antony Stone @ 2002-06-10 14:52 ` Ramin Alidousti 2002-06-10 15:01 ` Antony Stone 2002-06-10 16:06 ` Jack Bowling 1 sibling, 1 reply; 6+ messages in thread From: Ramin Alidousti @ 2002-06-10 14:52 UTC (permalink / raw) To: Antony Stone; +Cc: netfilter On Mon, Jun 10, 2002 at 01:18:12PM +0100, Antony Stone wrote: > On Monday 10 June 2002 12:45 pm, jakub@angel.cz wrote: > > > :) this is really not the problem, now I am logging all packets, no adress > > > > specification ;) > > > > -A POSTROUTING -p icmp -m icmp --icmp-type 3/4 -j LOG --log-prefix "icmp > > SNAT POST " > > Hmmm. Okay - this is beyond my understanding of netfilter - can anyone else > suggest why icmp packets going through the machine would get logged and > processed by PREROUTING and FORWARD but not by POSTROUTING ? Is it not because of the fact that the very first packet of a conn would go through the whole nat rule set and as soon as a rule is matched and a conn has been set up, the subsequent packets of that conn would not go through the whole rule set but get natted and de-natted by that entry? I thought I read this somewhere... So, if you also had a DNAT for that conn in PREROUTING, after the first initial packet (which sets up the dnat entry), no other packet of that conn would scan through the PREROUTING rule set including the LOG rule... However, the filter table is always consulted for each and every packet, that's why you see the LOG in the FORWARD chain... Ramin > Antony. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT of ICMP fragmentation-nee 2002-06-10 14:52 ` Ramin Alidousti @ 2002-06-10 15:01 ` Antony Stone 0 siblings, 0 replies; 6+ messages in thread From: Antony Stone @ 2002-06-10 15:01 UTC (permalink / raw) To: netfilter On Monday 10 June 2002 3:52 pm, Ramin Alidousti wrote: > On Mon, Jun 10, 2002 at 01:18:12PM +0100, Antony Stone wrote: > > Hmmm. Okay - this is beyond my understanding of netfilter - can anyone > > else suggest why icmp packets going through the machine would get logged > > and processed by PREROUTING and FORWARD but not by POSTROUTING ? > Is it not because of the fact that the very first packet of a conn > would go through the whole nat rule set and as soon as a rule is > matched and a conn has been set up, the subsequent packets of that > conn would not go through the whole rule set but get natted and > de-natted by that entry? I thought I read this somewhere... > > So, if you also had a DNAT for that conn in PREROUTING, after the > first initial packet (which sets up the dnat entry), no other packet > of that conn would scan through the PREROUTING rule set including > the LOG rule... > > However, the filter table is always consulted for each and every > packet, that's why you see the LOG in the FORWARD chain... I see what you're saying here, Ramin - basically anything which is being 'automatically' de-NATted because of an entry in the conntracking table doesn't go through the ruleset because (a) that's inefficient, and (b) it might do something which messes up the automatic de-NATting itself. However, it seems like a bit of a 'gotcha' which should be better documented, if you can't LOG any packet you want to, at every stage as it makes its way through your machine...? Antony. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT of ICMP fragmentation-nee 2002-06-10 12:18 ` SNAT of ICMP fragmentation-nee Antony Stone 2002-06-10 14:52 ` Ramin Alidousti @ 2002-06-10 16:06 ` Jack Bowling 2002-06-10 18:03 ` Ramin Alidousti 1 sibling, 1 reply; 6+ messages in thread From: Jack Bowling @ 2002-06-10 16:06 UTC (permalink / raw) To: netfilter ** Reply to message from Antony Stone <Antony@Soft-Solutions.co.uk> on Mon, 10 Jun 2002 13:18:12 +0100 > On Monday 10 June 2002 12:45 pm, jakub@angel.cz wrote: > > > :) this is really not the problem, now I am logging all packets, no adress > > > > specification ;) > > > > -A POSTROUTING -p icmp -m icmp --icmp-type 3/4 -j LOG --log-prefix "icmp > > SNAT POST " > > Hmmm. Okay - this is beyond my understanding of netfilter - can anyone else > suggest why icmp packets going through the machine would get logged and > processed by PREROUTING and FORWARD but not by POSTROUTING ? Wouldn't hurt to add the interface(s). jb -- Jack Bowling mailto: jbinpg@shaw.ca ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SNAT of ICMP fragmentation-nee 2002-06-10 16:06 ` Jack Bowling @ 2002-06-10 18:03 ` Ramin Alidousti 0 siblings, 0 replies; 6+ messages in thread From: Ramin Alidousti @ 2002-06-10 18:03 UTC (permalink / raw) To: Jack Bowling; +Cc: netfilter On Mon, Jun 10, 2002 at 09:06:41AM -0700, Jack Bowling wrote: > ** Reply to message from Antony Stone <Antony@Soft-Solutions.co.uk> on Mon, 10 Jun 2002 13:18:12 +0100 > > > > On Monday 10 June 2002 12:45 pm, jakub@angel.cz wrote: > > > > > :) this is really not the problem, now I am logging all packets, no adress > > > > > > specification ;) > > > > > > -A POSTROUTING -p icmp -m icmp --icmp-type 3/4 -j LOG --log-prefix "icmp > > > SNAT POST " > > > > Hmmm. Okay - this is beyond my understanding of netfilter - can anyone else > > suggest why icmp packets going through the machine would get logged and > > processed by PREROUTING and FORWARD but not by POSTROUTING ? > > Wouldn't hurt to add the interface(s). Absolutely!! You omit the -i/-o switches only when you _really_ don't care about the direction of the packet flow. Ramin > jb > > -- > Jack Bowling > mailto: jbinpg@shaw.ca ^ permalink raw reply [flat|nested] 6+ messages in thread
* SNAT of ICMP fragmentation-nee @ 2002-06-10 12:56 Hard__warE 0 siblings, 0 replies; 6+ messages in thread From: Hard__warE @ 2002-06-10 12:56 UTC (permalink / raw) To: netfilter > iptables -I POSTROUTING -t nat -p icmp --icmp-type \ > fragmentation-needed -j LOG --log-prefix "icmp SNAT POST " > > iptables -I PREROUTING -t mangle -p icmp --icmp-type \ > fragmentation-needed -j LOG --log-prefix "icmp SNAT PRE " > do you need to log all interfaces / chains or a particular adapter ???? ok have you tried using this instead $IPTABLES -t nat -A POSTROUTING -p icmp --icmp-type \ fragmentation-needed -j LOG --log-prefix "icmp SNAT POST " $IPTABLES -t nat -A PREROUTING -p icmp --icmp-type \ fragmentation-needed -j LOG --log-prefix "icmp SNAT PRE " .... oh and this one is for Antony Stone ... :D ... Gday .. >Hmmm. Okay - this is beyond my understanding of netfilter - can anyone else >suggest why icmp packets going through the machine would get logged and >processed by PREROUTING and FORWARD but not by POSTROUTING ? i have tested this with ICMP and it iz very true ... It seems as if the IPtables Box handles the actuall ICMP traffic locally So a box on the local lan can ping someone on the net and in your POSTROUTING Stage the packets arnt logged ... packets may flow through the actuall Theroy of Prerouting ---> Forward --> Postrouting and actually not go through the Postrouting stage ... I found by using IP alias's and a few modifications to your IPTables script you can acheive alot of things that are thought to be not possible .... :D .. hehhe ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2002-06-10 18:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <Pine.LNX.4.44.0206101340570.30649-100000@albert.ha-vel.cz>
2002-06-10 12:18 ` SNAT of ICMP fragmentation-nee Antony Stone
2002-06-10 14:52 ` Ramin Alidousti
2002-06-10 15:01 ` Antony Stone
2002-06-10 16:06 ` Jack Bowling
2002-06-10 18:03 ` Ramin Alidousti
2002-06-10 12:56 Hard__warE
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox