can you post the complete ruleset (iptables -vL -n && iptables -t nat -vL -n) + routing table on the firewall box?<br><br><br><br><div class="gmail_quote">On Wed, Apr 9, 2008 at 3:29 PM, JK <<a href="mailto:jknapka@kneuro.net">jknapka@kneuro.net</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I am having this same problem again, and I'm just as baffled.<br>
Flushing and restoring the iptables rules isn't helping this<br>
time.<br>
<br>
It appears that some packets are leaving the firewall box<br>
without traversing the POSTROUTING chain. WTF? I think<br>
I need to spend some time on <a href="http://lartc.org" target="_blank">lartc.org</a> this afternoon :-(<br>
<font color="#888888"><br>
-- JK<br>
</font><div><div></div><div class="Wj3C7c"><br>
JK wrote:<br>
> This is driving me nuts.<br>
><br>
> I have a device that is sending UDP packets from IP<br>
> address <a href="http://128.2.1.125" target="_blank">128.2.1.125</a>, thru my firewall, and out the<br>
> firewall's eth2 to port 7777 at IP <a href="http://192.168.1.10" target="_blank">192.168.1.10</a>. What<br>
> I want is to SNAT those packets so that the receiver<br>
> sees them as coming from <a href="http://128.1.110.104" target="_blank">128.1.110.104</a>. So on the firewall<br>
> box I do:<br>
><br>
> iptables -t nat -I POSTROUTING -o eth2 -s <a href="http://128.2.1.125" target="_blank">128.2.1.125</a> -j SNAT<br>
> --to-source <a href="http://128.1.110.104" target="_blank">128.1.110.104</a><br>
><br>
> This rule never fires. (A similar rule with the "-j SNAT..."<br>
> replaced with "-j LOG" also never fires.) I can run a tcpdump<br>
> on eth2 and see these **(&%^$ packets leaving with source address<br>
> <a href="http://128.2.1.125" target="_blank">128.2.1.125</a>. I know I had this working before, but I have no idea<br>
> how, and I can't really afford to pull out any more of my precious,<br>
> precious hair. Google has not answered this question; it's dead<br>
> to me now. Help?<br>
><br>
> Thx,<br>
><br>
> -- JK<br>
><br>
> PS: AAAAAAAAAARGH!!!!!<br>
><br>
<br>
<br>
--<br>
I do not particularly want to go where the money is -<br>
it usually does not smell nice there. -- A. Stepanov<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
</div></div></blockquote></div><br>