Chris's Wiki :: blog/linux/NATLackOfUnderstanding Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/NATLackOfUnderstanding?atomcommentsDWiki2016-09-13T19:17:08ZRecent comments in Chris's Wiki :: blog/linux/NATLackOfUnderstanding.By nobody on /blog/linux/NATLackOfUnderstandingtag:CSpace:blog/linux/NATLackOfUnderstanding:38fed9f27b5a3f340846750334235d35610ac3d8nobody<div class="wikitext"><p>nftables is the replacement of iptables and it's supposed to have nicer syntax. Sadly, few people knows it and the documentation (including "google documentation") plain sucks. But if you are going to learn a tool you may as well bother learning the newer tool</p>
</div>2016-09-13T19:17:08ZBy James on /blog/linux/NATLackOfUnderstandingtag:CSpace:blog/linux/NATLackOfUnderstanding:d186b7a2134e52903b7dcc9097ad4f0f52af67f7James<div class="wikitext"><p>The magic you want is <code>sysctl net.netfilter.nf_log.2=ipt_LOG</code>, as by default now the <a href="https://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg17376.html">netfilter logs end up in ulogd</a> (don't ask me when it changed, and making ulog work is left as an exercise for the reader).</p>
</div>2016-09-13T12:36:13ZBy abc on /blog/linux/NATLackOfUnderstandingtag:CSpace:blog/linux/NATLackOfUnderstanding:6a0a98186e7e265d5cbbb73a3ff08286130bbb33abc<div class="wikitext"><p>And we still have another new beast - nftables</p>
</div>2016-09-13T12:17:16ZBy Ewen McNeill on /blog/linux/NATLackOfUnderstandingtag:CSpace:blog/linux/NATLackOfUnderstanding:ccccdfa785da1c8fa47ae8e762ab63e6e850761fEwen McNeill<div class="wikitext"><p>FWIW my solution to your immediate problem is to run a HTTP proxy on the far end of the tunnel and simply tell the local browser to use that. I do that a bunch when travelling. </p>
<p>As for NAT and iptables/routing, and particularly VPN routing (which with IPSec is its own piece of magic), that's particularly complicated on Linux. You probably want to ensure you're doing pre-routing NAT, and may still need routing rules and several routing tables to get something understandable. So I'd put out the HTTP fire first, then figure out a better strategy. </p>
<p>Ewen</p>
</div>2016-09-13T11:14:35Z