Packets not traversing the POSTROUTING table?
in [Linux Networking]
|
From: Eric B. on 7 Apr 2008 16:52 Hi, I'm running into a strange issue here. I'm not sure if I have done something wrong, or if am simply misunderstanding things. I have added a very simple rule in my POSTROUTING nat table to log all packets, but the packets I am looking to find don't show up in my log file. If I initiate the packets from the machine itself, (eg: ping www.yahoo.com), then I see those packets show up. However, if the machine is simply responding to packets from another machine (ex: ping 192.168.101.64 from another computer), they don't show up in the POSTROUTING table. I'll see the packets show up in the log statement from the OUTPUT filter table, but not in the POSTROUTING nat table. I was under the impression/understanding that all packets travel through the POSTROUTING nat table. Is this incorrect? Do they only traverse that table under special circumstances? Do response packets not traverse the POSTROUTING table? # iptables -F # iptables -t nat -I POSTROUTING -j LOG --log-prefix "POSTROUTE" # iptables -I OUTPUT -j LOG --log-prefix "OUTPUT" I've taken a look at http://www.docum.org/docum.org/kptd/ and from what I can tell, all packets are supposed to traverse the POSTROUTING table... Am I missing something obvious here? I'm running RHEL 4.2, kernel 2.6.9-67.0.4.ELsmp. Thanks! Eric -- Posted via a free Usenet account from http://www.teranews.com
From: Pascal Hambourg on 7 Apr 2008 19:49 Hello, Eric B. a �crit : > > I have added a very simple rule in my POSTROUTING nat table to log all > packets *Beep* The nat table chains see only the first packet of each new connection. This means they can see only packets with the state NEW. Do not use the nat table for anything but NAT.
From: Eric B. on 7 Apr 2008 21:26 "Pascal Hambourg" <boite-a-spam(a)plouf.fr.eu.org> wrote in message news:ftebu5$1jrj$1(a)biggoron.nerim.net... > Hello, > > Eric B. a �crit : >> >> I have added a very simple rule in my POSTROUTING nat table to log all >> packets > > *Beep* The nat table chains see only the first packet of each new > connection. This means they can see only packets with the state NEW. But for connectionless protocols, like ICMP, does that not mean that every new ping would have to travel through the nat table chains? I added a log rule in the PREROUTE nat table and see all the incoming ICMP ping requests; just absolutely nothing in the POSTROUTE nat table.... > Do not use the nat table for anything but NAT. Can one not put logging rules in the nat tables? I put it in the PREROUTE table and it seems to work.... Thanks! Eric
From: Pascal Hambourg on 8 Apr 2008 04:57 Eric B. a �crit : > >>>I have added a very simple rule in my POSTROUTING nat table to log all >>>packets >> >>*Beep* The nat table chains see only the first packet of each new >>connection. This means they can see only packets with the state NEW. > > But for connectionless protocols, like ICMP, does that not mean that every > new ping would have to travel through the nat table chains? Yes, unless it is a duplicate (which was not answered). > I added a log > rule in the PREROUTE nat table and see all the incoming ICMP ping requests; Because these are echo requests (type 8). > just absolutely nothing in the POSTROUTE nat table.... Because these are echo replies (type 0). Echo requests create a new "connection", echo reply don't. As you said in your first message, when you run a ping from the machine the LOG rule in POSTROUTING/nat sees outgoing echo requests. However the LOG rule in PREROUTING/nat does not see the echo replies because these are ESTABLISHED. >>Do not use the nat table for anything but NAT. > > Can one not put logging rules in the nat tables? Of course you can. But you must know what you are doing. If you want to log *all* packets, you don't want to put the rules in the nat table. > I put it in the PREROUTE table and it seems to work.... It logs only incoming echo requests, as in POSTROUTING/nat. It doesn't log incoming echo replies.
|
Pages: 1 Prev: Converting your favorite MP3 song to Cisco IP phone ringtone Next: Regular Expression |