On Wed, 2007-05-09 at 16:15 -0700, Tom Eastep wrote: > > Once the conntrack table entry is built, there is no further need of the > nat table rules.
Ahhh. So you are saying that conntrack then does the natting necessary?
So if I add a new rule such as:
[EMAIL PROTECTED]:~# iptables -t mangle -I tcpre -p udp --dport 4569 -j MARK
--set-mark 0x80
So that it gets SNATted with the right source address with:
Chain ppp0_masq (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.75.22.0/24 0.0.0.0/0
0 0 SNAT all -- * * 72.38.139.100 0.0.0.0/0
to:66.11.173.224
But already have a conntrack entry such as:
udp 17 175 src=10.75.22.3 dst=AA.BB.CCC.DDD sport=4569 dport=4569
src=AA.BB.CCC.DDD dst=72.38.139.100 sport=4569 dport=4569 [ASSURED] use=1
mark=64 bytes=8097545
The SNATting will never actually happen then? Is there any way, short
of stopping the application that is continuing to send the packets to
destroy that connection so that it's recreated with the addresses and
mark?
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
