Re: [pmacct-discussion] NAT question
On 11/11/2009 11:24:34 PM, JF Cliche wrote: Maybe a newbie question, so I'll be brief: I am behind two NAT routers (Linksys running DD-WRT) with port forwarding up to the machine running pmacct, and yet pmacct reports SSH traffic to the forwarded port with the public (external, non-NATed) addresses. I thought all traffic should be seen as coming from the second router private address. Is pmacct (or underlying pcab library) getting the public address from extra data encapsulated in the TCP packets by the routers or in the SSH protocol? It's libpcap delivering the datagrams and I've always assumed it's monitoring what's on the wire. I want it to. Karl k...@meme.com Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] NAT question
Hi JF, As Karl said, libpcap looks what's on the wire and pmacct doesn't get further up in the packet layering. You can always do a quick check by verifying what tcpdump sees. While on NAT Linux, and perhaps not related to this specific issue: the uacctd daemon has been introduced in pmacct as of 0.12.0rc3: it relies on the ULOG framework for packet capturing and should give increased flexibility (prerouting, postrouting, etc.) in scenarios where one does accounting on the same Linux box which is also doing the NAT. Cheers, Paolo On Thu, Nov 12, 2009 at 12:24:34AM -0500, JF Cliche wrote: Maybe a newbie question, so I'll be brief: I am behind two NAT routers (Linksys running DD-WRT) with port forwarding up to the machine running pmacct, and yet pmacct reports SSH traffic to the forwarded port with the public (external, non-NATed) addresses. I thought all traffic should be seen as coming from the second router private address. Is pmacct (or underlying pcab library) getting the public address from extra data encapsulated in the TCP packets by the routers or in the SSH protocol? I've seen the opposite problem being discussed in this forum, but not this... JF -- Jean-Fran?ois Cliche, Ph.D., P. Eng ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] NAT question
Hi JF, On Thu, 12 Nov 2009, JF Cliche wrote: I am behind two NAT routers (Linksys running DD-WRT) with port forwarding up to the machine running pmacct, and yet pmacct reports SSH traffic to the forwarded port with the public (external, non-NATed) addresses. I thought all traffic should be seen as coming from the second router private address. Is pmacct (or underlying pcab library) getting the public address from extra data encapsulated in the TCP packets by the routers or in the SSH protocol? I've seen the opposite problem being discussed in this forum, but not this... NAT usually affects only the source address of outbound connections, and the destination address of inbound ones. There's no need for it to change the source of your incoming (to the pmacct server) SSH connection, as its reply packets will still go back to the SSH client via the router, which is necessary in order to have their source IP natted. Cheers, Chris. -- Aptivate | http://www.aptivate.org | Phone: +44 1223 760887 The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES Aptivate is a not-for-profit company registered in England and Wales with company number 04980791. ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
