* pktstat and netfilter
@ 2003-08-05 7:52 Edmund
2003-08-05 8:31 ` Cedric Blancher
0 siblings, 1 reply; 4+ messages in thread
From: Edmund @ 2003-08-05 7:52 UTC (permalink / raw)
To: Netfilter
Hi,
I'm running iptables (latest version) on a 2.4.21
Linux machine. I use pktstat to view the general
packet movement. Setup as follows:
Internet -> eth0 (<- iptables ->) eth1 -> LAN
I'm not sure where pktstat comes into play in
the above chart.
Anyway, today I was majorly surprised to see
a Local IP sending a packet to a remote LAN
on port 80.
tcp 192.168.10.3:2041 <-> x.x.x.x:80
Is this supposed to happen? Assuming that
pktstat listens to the resulting packet
after NAT'd, shouldn't the 192.168.10.3
be my actual Internet IP?
Any help appreciated.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: pktstat and netfilter
2003-08-05 7:52 pktstat and netfilter Edmund
@ 2003-08-05 8:31 ` Cedric Blancher
2003-08-06 4:02 ` Edmund
0 siblings, 1 reply; 4+ messages in thread
From: Cedric Blancher @ 2003-08-05 8:31 UTC (permalink / raw)
To: Edmund; +Cc: Netfilter
Le mar 05/08/2003 à 09:52, Edmund a écrit :
> Anyway, today I was majorly surprised to see
> a Local IP sending a packet to a remote LAN
> on port 80.
> tcp 192.168.10.3:2041 <-> x.x.x.x:80
> Is this supposed to happen? Assuming that
> pktstat listens to the resulting packet
> after NAT'd, shouldn't the 192.168.10.3
> be my actual Internet IP?
Afaik, libpcap capture outgoing traffic at last routing point, i.e.
before NF_IP_POST_ROUTING hook. Thus, packets you get are not yet
SNATed.
I think it's merely the same for inbound traffic (need someone to
confirm), that is captured after NF_IP_PRE_ROUTING hook, and so is
already DNATed.
It's quite wierd as one would like to capture the very traffic that is
sent to the wire or traffic recieved from the wire unaltered, whatever
active ruleset.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: pktstat and netfilter
2003-08-05 8:31 ` Cedric Blancher
@ 2003-08-06 4:02 ` Edmund
2003-08-06 6:33 ` Cedric Blancher
0 siblings, 1 reply; 4+ messages in thread
From: Edmund @ 2003-08-06 4:02 UTC (permalink / raw)
To: Netfilter
Cedric Blancher wrote:
> It's quite wierd as one would like to capture the very traffic that is
> sent to the wire or traffic recieved from the wire unaltered, whatever
> active ruleset.
>
What's even weird is that during a www session, most of the
packets would originate from my NAT firewall's IP, but one
or two (in a sequence) would show a LAN IP.
I'm confused as to why this is happening.
Has anyone encountered something similar?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: pktstat and netfilter
2003-08-06 4:02 ` Edmund
@ 2003-08-06 6:33 ` Cedric Blancher
0 siblings, 0 replies; 4+ messages in thread
From: Cedric Blancher @ 2003-08-06 6:33 UTC (permalink / raw)
To: Edmund; +Cc: Netfilter
Le mer 06/08/2003 à 06:02, Edmund a écrit :
> Cedric Blancher wrote:
> > It's quite wierd as one would like to capture the very traffic that is
> > sent to the wire or traffic recieved from the wire unaltered, whatever
> > active ruleset.
> What's even weird is that during a www session, most of the
> packets would originate from my NAT firewall's IP, but one
> or two (in a sequence) would show a LAN IP.
Have to check what I was telling you before. Have a big big doubt about
it...
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-08-06 6:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-08-05 7:52 pktstat and netfilter Edmund
2003-08-05 8:31 ` Cedric Blancher
2003-08-06 4:02 ` Edmund
2003-08-06 6:33 ` Cedric Blancher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.