Hello
Pokotilenko Kostik a écrit :
-t nat -A POSTROUTING -m conntrack --ctstate DNAT --ctorigdst x.x.x.x
Just to make sure. This rule will match the packets with canntrack state
"DNAT" and whose original (before DNAT) destination address was x.x.x.x,
right?
This is my understanding. However I would recommend not to put such a
rule in the nat table because chains in the nat table do not see reply
packets.
If I add -j ULOG to this rule what would be logged packet source address
for replay packet (Server->Client)? Original, that client was initially
connected to, or real, that was set during DNAT?
The rule would log the current packet source address as usual, so it
won't show the original destination address unless you had put it in the
--log-prefix option.
By the way does -m conntrack --ctstate DNAT --ctorigdst x.x.x.x match
request or replay packets or packets belonging to connection which was
originally made to x.x.x.x?
From my understanding, the latter. "Original" and "reply" usually refer
to connection tracking, not individual packets. However I am not sure
whether it would match the first packet creating the connection, can
anyone confirm ?
|