Re: [Shorewall-users] Difficult NAT problem

Wed, 02 May 2018 09:03:16 -0700 

Thanks again Tom. I have determined that conntrack -F sends the next packet
through the nat table and it works correctly. So, I have set a trap, with
tcpdump on both interfaces, shorewall trace, and conntrack -E; in a while I
should have results (if the disk doesn't fill up first!)

On Sun, Apr 29, 2018 at 4:30 PM, Tom Eastep <teas...@shorewall.net> wrote:

> On 04/28/2018 10:17 PM, Norman Henderson wrote:
> > SO, UDP NAT has continued to happen overnight... Keeping that in mind
> > here is what I get immediately after conntrack -F :
> >
> > Apr 29 06:03:50 voyage3 kernel: [34497.236640] TRACE:
> > raw:PREROUTING:policy:13 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=411 TOS=0x00 PREC=0x60 TTL=64 ID=53015 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=391
> > Apr 29 06:03:50 voyage3 kernel: [34497.236685] TRACE:
> > mangle:PREROUTING:policy:1 IN=vlan1 OUT=
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=10.1.0.252 LEN=411 TOS=0x00 PREC=0x60 TTL=64 ID=53015 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=391
> > Apr 29 06:03:50 voyage3 kernel: [34497.236716] TRACE:
> > mangle:FORWARD:rule:1 IN=vlan1 OUT=wlan1
> > MAC=78:45:c4:17:55:91:08:00:27:e6:9f:f5:08:00 SRC=10.1.0.3
> > DST=192.168.1.35 LEN=411 TOS=0x00 PREC=0x60 TTL=63 ID=53015 PROTO=UDP
> > SPT=5060 DPT=5060 LEN=391
>
> Note that the DST IP address changed without the packet going through
> the nat table. That means that there was already a conntrack entry in
> place. Were you tracing when you did the 'conntrack -F'?
>
> -Tom
>
> Note: It is also odd that each trace message was repeated. I deleted the
> duplicates in the output above.
>
> --
> Tom Eastep        \   Q: What do you get when you cross a mobster with
> Shoreline,         \     an international standard?
> Washington, USA     \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>                       \_______________________________________________
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to