From mboxrd@z Thu Jan 1 00:00:00 1970 From: Zoilo Subject: Re: NAT PREROUTING chain ignored on returning traffic ?? Date: Mon, 01 Sep 2003 15:58:47 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3F535097.6090400@xs4all.nl> References: <3F4FA204.6010605@xs4all.nl> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Jim Carter , Philip Craig Cc: netfilter@lists.netfilter.org Thank you for this refresh cycle on my memory! Z. Jim Carter wrote: >On Fri, 29 Aug 2003, Zoilo wrote: > > >>I have 2 machines connected via a LAN: 192.168.192.254 and >>192.168.192.123. I will call the '254' and '123' from now on. >> >> >--- snip --- > > >>Then I did a single 'ping' from one to the other, and vice versa, while >>logging at 123. >> >> >--- snip --- > > >>To my astonishment, in II) the returning ICMP packets do *not* travel >>through the NAT PREROUTING chain! In I) however, the incoming packets >>*do* travel through the NAT PREROUTING chain, as expected. >> >> > >The NAT PREROUTING chain is for packets from outside the machine that >initiate a connection (whether thru traffic, or destined for the machine >itself). ICMP echo exchanges are tracked by conntrack and count as a >connection. So when on 254 you do "ping 123", 123 will log the packet in >the NAT table, whereas on 123 you do "ping 254", but the answer is part of >the established connection. The only NATting that will happen, happens on >254 when it gets the echo query packet. > >Hope this helps! > >James F. Carter Voice 310 825 2897 FAX 310 206 6673 >UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555 >Email: jimc@math.ucla.edu http://www.math.ucla.edu/~jimc (q.v. for PGP key) > > > >