From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Tyler J. Wagner" <tyler@tolaris.com>
Subject: Re:
Date: Tue, 23 Aug 2011 12:35:18 +0100
Message-ID: <4E539076.1070609@tolaris.com>
References: <4E536427.2040503@ngs.ru> <4E5385EB.9040808@tolaris.com> <4E538A10.3030508@runoguy.ru>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <netfilter-owner@vger.kernel.org>
In-Reply-To: <4E538A10.3030508@runoguy.ru>
Sender: netfilter-owner@vger.kernel.org
List-ID: <netfilter.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
To: Ellad Yatsko <eyatsko@runoguy.ru>
Cc: netfilter@vger.kernel.org

On 2011-08-23 12:08, Ellad Yatsko wrote:
> Main problem is DNAT does not work as I wait. It seems to me there is an
> implicit additional
> DNAT rule for SNAT, and because *my* DNAT rule does not work. May you show
> me how it
> could be "switched off"? :-)

It's not an implicit rule. If either rule matches the FIRST time the
traffic is seen, it will become an established connection. NAT will be
applied to it in both directions. See the current list of tracked
connections with:

cat /proc/net/ip_conntrack

Don't run that on a system with a lot of traffic. You'll get one line for
each session. For 1000 sessions, that's manageable. For 500,000, it will
block the terminal for a long time.

Regards,
Tyler

-- 
"The map is not the territory."
   -- Alfred Korzybski