Packets not traversing the POSTROUTING table? - Networking

This is a discussion on Packets not traversing the POSTROUTING table? - Networking ; Hi, I'm running into a strange issue here. I'm not sure if I have done something wrong, or if am simply misunderstanding things. I have added a very simple rule in my POSTROUTING nat table to log all packets, but ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Packets not traversing the POSTROUTING table?

  1. Packets not traversing the POSTROUTING table?

    Hi,

    I'm running into a strange issue here. I'm not sure if I have done
    something wrong, or if am simply misunderstanding things.

    I have added a very simple rule in my POSTROUTING nat table to log all
    packets, but the packets I am looking to find don't show up in my log file.
    If I initiate the packets from the machine itself, (eg: ping www.yahoo.com),
    then I see those packets show up. However, if the machine is simply
    responding to packets from another machine (ex: ping 192.168.101.64 from
    another computer), they don't show up in the POSTROUTING table. I'll see
    the packets show up in the log statement from the OUTPUT filter table, but
    not in the POSTROUTING nat table.

    I was under the impression/understanding that all packets travel through the
    POSTROUTING nat table. Is this incorrect? Do they only traverse that table
    under special circumstances? Do response packets not traverse the
    POSTROUTING table?

    # iptables -F
    # iptables -t nat -I POSTROUTING -j LOG --log-prefix "POSTROUTE"
    # iptables -I OUTPUT -j LOG --log-prefix "OUTPUT"

    I've taken a look at http://www.docum.org/docum.org/kptd/ and from what I
    can tell, all packets are supposed to traverse the POSTROUTING table... Am
    I missing something obvious here?

    I'm running RHEL 4.2, kernel 2.6.9-67.0.4.ELsmp.

    Thanks!

    Eric



    --
    Posted via a free Usenet account from http://www.teranews.com


  2. Re: Packets not traversing the POSTROUTING table?

    Hello,

    Eric B. a écrit :
    >
    > I have added a very simple rule in my POSTROUTING nat table to log all
    > packets


    *Beep* The nat table chains see only the first packet of each new
    connection. This means they can see only packets with the state NEW.

    Do not use the nat table for anything but NAT.

  3. Re: Packets not traversing the POSTROUTING table?

    "Pascal Hambourg" wrote in message
    news:ftebu5$1jrj$1@biggoron.nerim.net...
    > Hello,
    >
    > Eric B. a écrit :
    >>
    >> I have added a very simple rule in my POSTROUTING nat table to log all
    >> packets

    >
    > *Beep* The nat table chains see only the first packet of each new
    > connection. This means they can see only packets with the state NEW.


    But for connectionless protocols, like ICMP, does that not mean that every
    new ping would have to travel through the nat table chains? I added a log
    rule in the PREROUTE nat table and see all the incoming ICMP ping requests;
    just absolutely nothing in the POSTROUTE nat table....

    > Do not use the nat table for anything but NAT.

    Can one not put logging rules in the nat tables? I put it in the PREROUTE
    table and it seems to work....

    Thanks!

    Eric



  4. Re: Packets not traversing the POSTROUTING table?

    Eric B. a écrit :
    >
    >>>I have added a very simple rule in my POSTROUTING nat table to log all
    >>>packets

    >>
    >>*Beep* The nat table chains see only the first packet of each new
    >>connection. This means they can see only packets with the state NEW.

    >
    > But for connectionless protocols, like ICMP, does that not mean that every
    > new ping would have to travel through the nat table chains?


    Yes, unless it is a duplicate (which was not answered).

    > I added a log
    > rule in the PREROUTE nat table and see all the incoming ICMP ping requests;


    Because these are echo requests (type 8).

    > just absolutely nothing in the POSTROUTE nat table....


    Because these are echo replies (type 0). Echo requests create a new
    "connection", echo reply don't.

    As you said in your first message, when you run a ping from the machine
    the LOG rule in POSTROUTING/nat sees outgoing echo requests. However the
    LOG rule in PREROUTING/nat does not see the echo replies because these
    are ESTABLISHED.

    >>Do not use the nat table for anything but NAT.

    >
    > Can one not put logging rules in the nat tables?


    Of course you can. But you must know what you are doing. If you want to
    log *all* packets, you don't want to put the rules in the nat table.

    > I put it in the PREROUTE table and it seems to work....


    It logs only incoming echo requests, as in POSTROUTING/nat. It doesn't
    log incoming echo replies.

+ Reply to Thread