From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Michel Benoit" <murpme@gmail.com>
Subject: Re: IP forwarding with MASQUERADE
Date: Wed, 8 Oct 2008 18:12:40 +0200
Message-ID: <c88e466f0810080912s46f24354xc8e5fa7aae12a4f8@mail.gmail.com>
References: <c88e466f0810030507x7e601d09q1034c7cc18be9b57@mail.gmail.com>
	 <48E62AD3.9060001@riverviewtech.net>
	 <c88e466f0810070858o18687b09yabd9cc7e5a46391@mail.gmail.com>
	 <48EBA72B.80306@riverviewtech.net>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-owner@vger.kernel.org>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:cc:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references;
        bh=cBW5sYM40vvDOPYmn0TUbQvrzrewXAurmPm6wsmt8R0=;
        b=nq+RmrA6M+/R9eKM2FSHBzaBVtqIzEpF6YXUp+26eS595e2T5yKzZx3V6NxeGsep4v
         JDx/rSxUf6lHg1yD75Imb8vji6Vm2aYogxDayxHCYslrWKKNw6DtrTwp58KDDOKjXufr
         AfNfvAG2iwcBnY2O7H/YO/K+HZCagzXWQEBC4=
In-Reply-To: <48EBA72B.80306@riverviewtech.net>
Content-Disposition: inline
Sender: netfilter-owner@vger.kernel.org
List-ID: <netfilter.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
To: Grant Taylor <gtaylor@riverviewtech.net>
Cc: Mail List - Netfilter <netfilter@vger.kernel.org>

>
> Am I correct in presuming that "mail1.telia.com" is 10.0.0.1?
>

Yes.  I get the same result no matter what ip address I use.



>
> I believe the connections that connection tracking is keeping track of are
> listed somewhere in /proc, but I don't know where off hand.

Should the file /proc/net/ip_masquerade exist?
I found some reference to it on the web but there does not seem to be
such a file when I grep the source code.
Are there any other files I can look at?
/proc/net/ip_conntrack or /proc/net/nf_conntrack for example

>> Can the combination of iptables v1.3.8 and linux kernel v2.6.25 be out of
>> synch or corrupted?
>
> I would not think.  Usually if you have a mis-match between the iptables
> binary and the kernel you will get an error indicating such, not a weird
> mis-behavior like you are seeing.

Can netfilter be broken in 2.6.25?  Has anything changed in the
netfilter kernel code recently?

>
> The only thing that comes to mind is that there is something stale in your
> IPTables rules in memory.  Will you please do an iptables-save and show us
> the output?
>

# iptables-save
# Generated by iptables-save v1.3.8 on Wed Oct  8 17:48:35 2008
*raw
:PREROUTING ACCEPT [12:1335]
:OUTPUT ACCEPT [8:672]
COMMIT
# Completed on Wed Oct  8 17:48:35 2008
# Generated by iptables-save v1.3.8 on Wed Oct  8 17:48:35 2008
*nat
:PREROUTING ACCEPT [3:427]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [3:252]
-A POSTROUTING -j LOG --log-prefix "msk:"
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Oct  8 17:48:35 2008
# Generated by iptables-save v1.3.8 on Wed Oct  8 17:48:35 2008
*mangle
:PREROUTING ACCEPT [12:1335]
:INPUT ACCEPT [11:1251]
:FORWARD ACCEPT [1:84]
:OUTPUT ACCEPT [8:672]
:POSTROUTING ACCEPT [9:756]
COMMIT
# Completed on Wed Oct  8 17:48:35 2008
# Generated by iptables-save v1.3.8 on Wed Oct  8 17:48:35 2008
*filter
:INPUT ACCEPT [11:1251]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8:672]
-A INPUT -j LOG --log-prefix "in:"
-A FORWARD -j LOG --log-prefix "fwd:"
-A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "out:"
COMMIT
# Completed on Wed Oct  8 17:48:35 2008
#