Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
eth0 with 22.33.44.55 - Internet gw
eth1 with 192.168.1.254 - Intranet gw
Then:
Code:
tcpdump -i eth0 -ne 'net 192.168.1.0/24'
And it sometimes outputs something. It all works generally, but distinct packets for some reason passes SNAT w/o altering src. These packets definetely reach the next gateway, I see them on the other side as well.
Can you describe it in words, please. Especially about "\!" part.
it must do (and definetely does) NAT for any host from 192.168.1.0/24 to 22.33.44.55; meantime I do not want to NAT a local traffic; no other rules in NAT table
then, simetimes I see on eth0 smth like:
Quote:
IP 192.168.1.4.50226 > 74.125.77.19.443: F 253979169:253979169(0) ack 3081852170 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: R 1:1(0) ack 1 win 0
I've tried to flush NetFilter's connections with 'conntrack -F' and there's some effect: number of such packets (with a FIN flag) considerably increased
how could a subnet exception cause such a problem (= security caveat)? the only reason is an iptables' bug, I think; there's must be something else more probable
How would you act as a driver, if three passengers in your car start to ask you to do different things at ones?
You have to give to iptables as simple and effective rules as possible, and please, read about iptables - believe me it works just fine. This is perfect driver, problems with passengers.
Because when you said "NAT table" in reality you talk about SNAT, which needs specific conditions for proper functionality. Your condition was confusing and was not single-valued.
I still do not understand your idea, why a TCP like "192.168.1.4.50226 > 74.125.77.19.443" can pass POSTROUTING in NAT without any altering, but should be captured if I remove a local traffic exclusion?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.