Hello Jan,
Monday, January 29, 2007, 2:24:47 PM, you wrote:
>>iptables -t nat -A POSTROUTING -o eth2 -j SNAT -s 10.0.0.0/16 --to-source
>>217.221.234.74
JE> Make sure there are no other terminating rules in POSTROUTING that could
stop a
JE> packet from reaching this SNAT rule.
No, the snat rule is the FIRST in the postrouting chain. Also I have
noticed that maybe i was wrong... I mean, the issue is not with the SNAT
rule, but with a redirect in PREROUTING.
I have noticed now that all of the packets that are not SNATed are FIN,
ACK or RST,ACK packets that go to port 80 on the remote host.
I have just remembered that I have a PREROUTING rule (the first in the
chain) that does a REDIRECT to a local proxy, like this:
iptables -t nat -A PREROUTING -i eth0 -m state --state new -p tcp --dport 80 -j
REDIRECT --to-port 8080
Now, this means that (I forgot it even if I have configured it) there
should be NO web traffic to be SNATed, because all of the connections to
port 80 go through the proxy.
So, it seems that somehow is the PREROUTING that fails to catch the
packets, does not REDIRECT them to the local proxy, and these packets go
out of the WAN interface, where no connection tracking status is
registered for these packets that do not belong to a SNATed connection...
and this is why they do not get SNATed.
So the new question is: why does the REDIRECT rule in prerouting miss some
packets? And why always FIN packets?
Thanks again.
--
Fabio "Kurgan" Muzzi
|