From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Fink Subject: Re: NAT table bypass for local traffic Date: Wed, 28 Apr 2010 10:59:40 -0700 Message-ID: References: Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=05A+zjzN3yvjf98awqhaLlyoPL9fdLyVa1PSKrQ/xoY=; b=oczk+KK9fTNhtb3U9eyoVjGQFHz0ENZ46n1CaDKhAEe7gLv/3HFUDSePMVMowcYkiw 5bkNvztkiK5wXQc9NXMQswj9jDT/RgixXw/hzvZt4Nug6VsJVAFfkXeVcb+Gvxcw8B9w Y3BVlI27VN2GQIgTXQNBUOdvWePtAb3+YfWBQ= In-Reply-To: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="iso-8859-1" To: Bill Prochazka Cc: netfilter@vger.kernel.org I probably shouldn't be responding, knowing as little as I do about such things, but I believe this is by design. The nat table only gets a crack at packets that initiate a connection -- as in, do not yet exist in the connection tracking tables. This is true even of UDP packets, because connection tracking heuristically assigns those to connections based on observed IP,port pairs and the traffic pattern. If you want to see those packets in the nat table, you have a number of options: (1) figure out how to do what you want on a connection basis and make sure you have everything set up before any connections are established; (2) install conntrack-tools and do a conntrack -F to flush out tracked connections, so you'll get one packet from each connection through the nat table; or (3) add a rule to the raw table that bypasses connection tracking via the NOTRACK target. =46rom the iptables manpage, in the description of the nat table: "This table is consulted when a packet that creates a new connection is encountered." I don't know what mechanism makes related packets in an established connection follow the translation actions set up by the initial packets. There's a magic sheep bit in there somewhere. On Wed, Apr 28, 2010 at 10:19 AM, Bill Prochazka = wrote: > So, I have an interesting observation. =A0I am doing some wonky fun > stuff with iptables and have noticed that traffic generated by a host > on an existing connection, is bypassing the NAT table for processing. > I ran netcat listenening on a host and log all traffic on the OUTPUT > and POSTROUTING chains. =A0When I connect from another host, the traf= fic > is not processed by those chains. =A0However, if I initiate a connect= ion > from that host, the chains are processed appropriately. =A0Is this by > design or is this a bug? =A0The traffic does pass through the mangle > table, just not the NAT table. =A0Anyone ever encounter something lik= e > this? =A0I have verified this on both CentOS 5.4 (2.6.18) and busybox > (2.6.27). > > Bill > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" = in > the body of a message to majordomo@vger.kernel.org > More majordomo info at =A0http://vger.kernel.org/majordomo-info.html >