On Jun 5 2007 19:10, Craig Bernstein wrote:
> On 5/22/07, Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
>> iptables -t nat -N yes_do_me_1
>> iptables -t nat -A yes_do_me_1 -j LOG ...
>> iptables -t nat -A yes_do_me_1 -j SNAT ...
>>
>> iptables -t nat -s 134.76.0.0/16 -d whatever -p tcp -j yes_do_me_1
>>
>> Or you could use `conntrack -E`... or conntrack -L for a momentary
>> state.
>
> Jan, thank you for your suggestion, but setting it up that way gives
> me the same results as before. The log entry looks like this:
>
> IN= OUT=eth0 SRC=10.1.2.3 DST=209.85.139.147 LEN=48 TOS=0x00 PREC=0x00
> TTL=125 ID=52743 DF PROTO=TCP SPT=1535 DPT=80 WINDOW=16384 RES=0x00
> SYN URGP=0
>
> "SRC" is the inside client address. "DST" is the outside server
> address. I still need to log the outside address the client is SNATed
> to, i.e. the public Internet address the server will see.
iptables -t nat -N ydm1
iptables -t nat -A ydm1 -j LOG "[Adress got SNATed to 134.76.13.21] "
iptables -t nat -A ydm1 -j SNAT --to 134.76.13.21
iptables -t nat -A POSTROUTING <-d condition -m condition or whatever> -j ydm1
It already was a complete example. When you SNAT, you know you do.
> Petr recommended the conntrack tool, which may work but will require
> upgrading a box that is currently running Debian Sarge. Is that my
> only option?
Teardown logging: yes. Setup: See above and/or conntrack.
Jan
--
|