Re: - Tyler J. Wagner

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "Tyler J. Wagner" <tyler@tolaris.com>
To: Ellad Yatsko <eyatsko@runoguy.ru>
Cc: netfilter@vger.kernel.org
Subject: Re:
Date: Tue, 23 Aug 2011 12:35:18 +0100	[thread overview]
Message-ID: <4E539076.1070609@tolaris.com> (raw)
In-Reply-To: <4E538A10.3030508@runoguy.ru>

On 2011-08-23 12:08, Ellad Yatsko wrote:
> Main problem is DNAT does not work as I wait. It seems to me there is an
> implicit additional
> DNAT rule for SNAT, and because *my* DNAT rule does not work. May you show
> me how it
> could be "switched off"? :-)

It's not an implicit rule. If either rule matches the FIRST time the
traffic is seen, it will become an established connection. NAT will be
applied to it in both directions. See the current list of tracked
connections with:

cat /proc/net/ip_conntrack

Don't run that on a system with a lot of traffic. You'll get one line for
each session. For 1000 sessions, that's manageable. For 500,000, it will
block the terminal for a long time.

Regards,
Tyler

-- 
"The map is not the territory."
   -- Alfred Korzybski

next prev parent reply	other threads:[~2011-08-23 11:35 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-08-23  8:26 How to make bi-directional NAT'ting? "Яцко Эллад Геннадьевич (ngs)"
2011-08-23 10:50 ` Tyler J. Wagner
     [not found]   ` <4E538A10.3030508@runoguy.ru>
2011-08-23 11:35     ` Tyler J. Wagner [this message]
2011-08-24  7:35       ` Jan Engelhardt
2011-08-24  8:19         ` Re: Tyler J. Wagner
  -- strict thread matches above, loose matches on Subject: below --
2015-10-24  5:02 JO Bower
     [not found] <S1752389AbYJDKwq/20081004105246Z+121@vger.kernel.org>
2008-10-04 11:20 ` (unknown) Sebastian Seemann
2008-10-05  5:14   ` Grant Taylor
2008-10-05  5:53     ` Re: Grant Coady
2008-10-05  8:45       ` Re: Sebastian Seemann
2008-10-07  9:26         ` Re: Sebastian Seemann
2008-03-07  8:06 (unknown) Alberto Díez
2008-03-07  9:43 ` Rob Sterenborg
2008-01-03 21:57 (unknown), Joe Ruddy
2008-01-03 22:22 ` Martijn Lievaart

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E539076.1070609@tolaris.com \
    --to=tyler@tolaris.com \
    --cc=eyatsko@runoguy.ru \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox