Answer the question
In order to leave comments, you need to log in
V
V
Vladislav_vb2017-06-23 08:11:23
Vladislav_vb, 2017-06-23 08:11:23
Who faced that iptables -j SNAT does not always "natit" packages?
On the external interface, packets are hopped that contain addresses of the internal network in the SRC field, such as 192.168.0.0/24, which reveals the contents of the internal network quite well. The DST field contains the normal address where the packet is sent.
Rules only:
[email protected]:~# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o eth2 -j SNAT --to-source XX.YY.ZZ.WW
It does not show all packages, but only partially (about 1% approximately, I didn’t count exactly).
1 answer(s)
@Mystray
M
Mystray, 2017-06-23 @Mystray
Only the first packet from each connection passes through -t nat, and it must be in the NEW contrack state, all other "discarded" packets within the connection do not "visually" pass through this table, and are not counted, although they are natted.
And if you initially have packets flying in the "INVALID" state, then they will also not go through -t nat. Don't like this behavior-I FORWARD -m state --state INVALID -j DROP
Similar questions
M
S
V
M
Maxim Vyaznikov2016-10-26 01:04:29
Debian 8, how to properly increase LimitNOFILE in systemd?
2Reply
A
Alexey Cheremisin2014-10-28 16:30:59
Should I start with the default exim config in debian 7.0?
2Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question