Re: Catching un-DNAT'ed packets

To:	netfilter@lists.netfilter.org
Subject:	Re: Catching un-DNAT'ed packets
From:	Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date:	Tue, 26 Dec 2006 12:09:32 +0100
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
In-reply-to:	<1167054030.16171.10.camel@localhost.localdomain>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Organization:	Plouf !
References:	<1167054030.16171.10.camel@localhost.localdomain>
Sender:	netfilter-bounces@lists.netfilter.org
User-agent:	Mozilla Thunderbird 1.0.6 (Windows/20050716)

To:

netfilter@lists.netfilter.org

Subject:

Re: Catching un-DNAT'ed packets

From:

Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Date:

Tue, 26 Dec 2006 12:09:32 +0100

Delivered-to:

sp-com-lists@consult.net

Delivered-to:

netfilter-list1@securepoint.com

In-reply-to:

<1167054030.16171.10.camel@localhost.localdomain>

List-archive:

</pipermail/netfilter>

List-help:

<mailto:netfilter-request@lists.netfilter.org?subject=help>

List-id:

General discussion and user questions <netfilter.lists.netfilter.org>

List-post:

<mailto:netfilter@lists.netfilter.org>

List-subscribe:

<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>

List-unsubscribe:

<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>

Organization:

Plouf !

References:

<1167054030.16171.10.camel@localhost.localdomain>

Sender:

netfilter-bounces@lists.netfilter.org

User-agent:

Mozilla Thunderbird 1.0.6 (Windows/20050716)

Hello,

Pokotilenko Kostik a écrit :


Is it possible to catch un-DNAT'ed packets with iptables' -j ULOG
target?


I'm afraid no.

Where does the un-DNAT occurs and is there table/chain that is
processed after un-DNAT?

In 2.4 kernels, when DNAT occurs in the PREROUTING chain, un-DNAT occursat the same place as (and in place of) the POSTROUTING chain of the'nat' table, and there is no chain after it. In 2.4 kernels >= 2.4.19,when DNAT occurs in the OUTPUT chain, un-DNAT occurs after the INPUTchain of the 'filter' table, and there is no chain after it either. Isuppose it has not changed in 2.6 kernels.

The problem I have is that replay packets got catched with real source
address, not the one the client has initially connected to. I was
catching replay packets in mangle/POSTROUTING.

The POSTROUTING chain of the 'mangle' table is just before the un-DNATplace.

<Prev in Thread]	Current Thread	[Next in Thread>
Catching un-DNAT'ed packets, Покотиленко Костик Re: Catching un-DNAT'ed packets, Pascal Hambourg <= Re: Catching un-DNAT'ed packets, Покотиленко Костик

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: [LARTC] Interesting article about punching holes in firewalls..., Torsten Luettgert
Next by Date:	Re: Port forwarding - what's wrong with my setup?, Nandan Bhat
Previous by Thread:	Catching un-DNAT'ed packets, Покотиленко Костик
Next by Thread:	Re: Catching un-DNAT'ed packets, Покотиленко Костик
Indexes:	[Date] [Thread] [Top] [All Lists]