Re: Why would certain packets not reach nat PREROUTING chain?

[Adam Rosi-Kessel <adam@rosi-kessel.org>]

On Thu, Nov 10, 2005 at 02:18:34PM +1100, Alexander Samad wrote:
> On Wed, Nov 09, 2005 at 08:59:37PM -0500, Adam Rosi-Kessel wrote:
> > Adam Rosi-Kessel wrote:
> > > I'm troubleshooting an issue of accessing a VPN through NAT. Right now the
> > > problem can be reduced to the following question:
> > > Under what conditions would inbound packets not be routing through the nat
> > > PREROUTING chain?
> > I should add that, just for debugging purposes, the default policy for all
> > chains is set to ACCEPT. There are also no DROP rules anywhere in any table
> > (again, just for debugging).
> my understanding is that the NAT table only sees the initial packets of
> a connection

Is that the only situation in which an inbound packet that shows up in
tcpdump would not show up in an itables nat PREROUTING log?

I also tried adding a raw table entry to prevent connection tracking, as
follows:

iptables -t raw -A PREROUTING -p udp --dport 500 -j NOTRACK

But the iptables nat PREROUTING log still did not show any of the inbound
packets.

> if this is ipsec it could be a ipsec problem ?

Well, the NAT box is not running IPSec. I'm trying to diagnose an IPSec
problem involving the client and the server, but for various reasons I
can't make the NAT box the IPSec endpoint. It shouldn't be that difficult
because I only have one box inside the LAN with a fixed NAT IP address
that needs to connect to the VPN server, and so I'm trying to direct udp
500 right to that client, but the problem seems to be the inbound packets
are not even entering the PREROUTING chain.
-- 
Adam Rosi-Kessel
http://adam.rosi-kessel.org