Re: Why would certain packets not reach nat PREROUTING chain?

[Adam Rosi-Kessel <adam@rosi-kessel.org>]

On Tue, Nov 15, 2005 at 06:57:45PM -0500, Adam Rosi-Kessel wrote:
> On Tue, Nov 15, 2005 at 06:53:19PM -0500, Adam Rosi-Kessel wrote:
> > > > So, setting aside the question of why I wasn't seeing that before, shouldn't
> > > > I be able to see the incoming packets as they are routed to the internal
> > > > client machine, even if they are tracked connections?  When I watch the
> > > > inward-facing interface with tcpdump, I don't see any of these packets
> > > > getting routed to that machine, although I do see the outbound packets.
> > > I don't clearly understand you here. It is always best to run tcpdump on
> > > both interfaces so that one can compare what packets are routed properly
> > > and how they were mangled/NAT-ed by the firewall. If some packets are
> > > missing from either side then that's a clear sign that those packets were
> > > dropped by either a matching rule/policy or by the system itself.
> > > Did the logging produce anything?
> I should probably also mention that the NAT box has two external IP
> addresses, both on eth0 (eth0 and eth0:1), although I don't think this
> should affect anything, maybe there's something I don't know. All
> outbound traffic from the LAN is SNAT'ed to the eth0:1 external IP
> address, and the VPN traffic I'm seeing is coming back into that same IP
> address.

Actually, it's probably even not worth mentioning. If I bring down eth0:1
and just do everything through one IP address on eth0, I get the same
results as before.
-- 
Adam Rosi-Kessel
http://adam.rosi-kessel.org