When I remove the first LOG it still dose not match the second. Also non of the counters exepting the ACCEPT counters get incremented. FWIW I thought the LOG target was special in that it returned.
tcpdump showes this... 1. SYN coming in. 2. A DNATed SYN going out. 3. SYN+ACK coming in. 4. Dose not show SNATed SYN+ACK going out. This is what I'm LOGing. --- Martin E Schyth <[EMAIL PROTECTED]> wrote: > > I would suggest this: > > The forward chain only handles the first entry the matches the packet. > So the first entry logs the packet, and therefore never gets to the > second > rule, even though it also matches. > > /Martin > > > -----Oprindelig meddelelse----- > Fra: Mike Mestnik [mailto:[EMAIL PROTECTED] > Sendt: 16. april 2004 22:45 > Til: lists.debian.org debian-firewal > Emne: iptables BUG help me!! > > > Dose this look way odd to any one? > > Chain FORWARD (policy ACCEPT 354 packets, 18360 bytes) > pkts bytes target prot opt in out source > destination > 37 1900 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:8436 LOG flags 0 level 4 > 0 0 REJECT all -- * eth2+ 0.0.0.0/0 > 10.0.0.0/24 reject-with icmp-net-unreachable > 0 0 DROP all -- eth2+ * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > 0 0 REJECT all -- eth2+ eth2+ 0.0.0.0/0 > 0.0.0.0/0 reject-with icmp-net-unreachable > 2889 173K ACCEPT all -- eth0+ * 0.0.0.0/0 > 0.0.0.0/0 state NEW > 4637 553K ACCEPT all -- eth0+ * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 LOG all -- eth0+ * 0.0.0.0/0 > 0.0.0.0/0 state INVALID LOG flags 0 level 4 > 4314 1559K ACCEPT all -- eth2+ * 0.0.0.0/0 > 0.0.0.0/0 state RELATED,ESTABLISHED > 0 0 LOG tcp -- * * 0.0.0.0/0 > 0.0.0.0/0 tcp spt:8436 LOG flags 0 level 4 > > Why dose the first log match and the last one not!! These rules were > made > by a "iptables -{I,A} FORWARD -p tcp --sport 8436 -j LOG". I am trying > to > get my "iptables -t nat -A PREROUTING -i $IFACE+ -p tcp --dport 8436\ > -j DNAT --to-destination 10.0.0.20:8436" rule working. > Here is some dmsg output. > > IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=202.180.123.192 LEN=48 TOS=0x00 > PREC=0x00 > TTL=63 ID=0 DF PROTO=TCP SPT=8436 DPT=4164 WINDOW=5840 RES=0x00 ACK SYN > URGP=0 > IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=65.160.248.169 LEN=40 TOS=0x00 > PREC=0x00 > TTL=63 ID=31805 DF PROTO=TCP SPT=8436 DPT=4797 WINDOW=0 RES=0x00 ACK RST > URGP=0 > IN=eth0 OUT=eth2 SRC=10.0.0.20 DST=65.160.248.169 LEN=40 TOS=0x00 > PREC=0x00 > TTL=63 ID=31806 DF PROTO=TCP SPT=8436 DPT=4797 WINDOW=0 RES=0x00 ACK RST > URGP=0 > > Is this a connection tracing problem? > train:/etc/network# iptables -v -n -t nat -L > Chain PREROUTING (policy ACCEPT 2611 packets, 193K bytes) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- eth2+ * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:8080 to:10.0.0.130:8080 > 0 0 DNAT tcp -- eth2+ * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:6344 to:10.0.0.25:6344 > 0 0 DNAT tcp -- eth2+ * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:6699 to:10.0.0.25:6699 > 0 0 DNAT udp -- eth2+ * 0.0.0.0/0 > 0.0.0.0/0 udp dpt:6257 to:10.0.0.25:6257 > 368 19039 DNAT tcp -- eth2+ * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:8436 to:10.0.0.20:8436 > 0 0 DNAT tcp -- eth2+ * 0.0.0.0/0 > 0.0.0.0/0 tcp dpt:6346 to:10.0.0.20:8436 > > Chain POSTROUTING (policy ACCEPT 393 packets, 21072 bytes) > pkts bytes target prot opt in out source > destination > 2406 145K SNAT all -- * eth2+ 0.0.0.0/0 > 0.0.0.0/0 to:24.245.9.227 > > Chain OUTPUT (policy ACCEPT 85 packets, 6566 bytes) > pkts bytes target prot opt in out source > destination > > Hope some one knows the problem. > > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Tax Center - File online by April 15th > http://taxes.yahoo.com/filing.html > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > __________________________________ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html
