NATing error: IN= OUT=eth1 SRC=<my external IP> DST=194.117.194.68 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=47
NATing error: IN= OUT=eth1 SRC=<my external IP> DST=136.248.100.11 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=47
NATing error: IN= OUT=eth1 SRC=<my external IP> DST=194.117.194.68 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=47
NATing error: IN= OUT=eth1 SRC=<my external IP> DST=136.248.100.11 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=53 LEN=47
NATing error: IN= OUT=eth1 SRC=<my external IP> DST=194.168.4.100 LEN=70 TOS=0x00 PREC=0x00 TTL=64 ID=3901 DF PROTO=UDP SPT=1047 DPT=53 LEN=50

obviously something to do with DNS.....

the rule in iptables that causes that message is....

echo "Enableing Masquradeing"
# just for the LAN to external
$IPTABLES -t nat -A POSTROUTING -s $LAN_NET -d $ANY -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -j LOG --log-prefix "NATing error: "

(where $LAN_NET == 192.168.1.0/255.255.255.0 and $ANY = 0.0.0.0/0.0.0.0)

the question is....
should I be worried about this?
should I allow natting to occur from my external IP to the rest of the world?
and if so, can I specify the rules so they DONT rely on my external ip addy?

Thanks for the help,

Bob

NAT is only done if you specify rules for it and if the translation specified in the first rule is all you need, why would you want to have another rule matching the rest?


I'd just leave it out.



By the way, remember that the second rule catches the following:
Internet -> firewall
firewall -> Internet
Internet -> LAN

Might be wrong about this though

I appreciate that... I'm just wondering why iptables is wanting to NAT stuff from my external IP to the net... (dns stuff in this case but it has been other ports...)
or does it send everything that goes through the router to the nat table?

if so, should I explicitly drop the packets from my external IP address in the natting table?

uhhhh.... the only matches I've seen in dmesg is ext IP -> internet...

why would internet -> firewall/lan pass through the natting table?....

<-- n00b btw, if u hadnt guessed :P

Same here I guess. I have been working with iptables for the past few days.
















I gave it some more thought and I think it's like this:







LAN<->internet: PREROUTING(nat)->FORWARD(filter)->POSTROUTING(nat)

LAN/internet->firewall: PREROUTING(nat)->INPUT(filter)

firewall->LAN/internet: OUTPUT(nat)->OUTPUT(filter)->POSTROUTING(nat)



Everything being sent goes through NAT (before or after routing or even both).



So my earlier remark was wrong.

The second rule catches internet->LAN, firewall->LAN and firewall->internet.



I hope I got this right. Is there anybody who can confirm this?