On Mon, Jun 10, 2002 at 01:18:12PM +0100, Antony Stone wrote: > On Monday 10 June 2002 12:45 pm, [EMAIL PROTECTED] wrote: > > > :) this is really not the problem, now I am logging all packets, no adress > > > > specification ;) > > > > -A POSTROUTING -p icmp -m icmp --icmp-type 3/4 -j LOG --log-prefix "icmp > > SNAT POST " > > Hmmm. Okay - this is beyond my understanding of netfilter - can anyone else > suggest why icmp packets going through the machine would get logged and > processed by PREROUTING and FORWARD but not by POSTROUTING ?
Is it not because of the fact that the very first packet of a conn would go through the whole nat rule set and as soon as a rule is matched and a conn has been set up, the subsequent packets of that conn would not go through the whole rule set but get natted and de-natted by that entry? I thought I read this somewhere... So, if you also had a DNAT for that conn in PREROUTING, after the first initial packet (which sets up the dnat entry), no other packet of that conn would scan through the PREROUTING rule set including the LOG rule... However, the filter table is always consulted for each and every packet, that's why you see the LOG in the FORWARD chain... Ramin > Antony.
