Re: 2.4 SNAT fails randomly

[Tim Gardner <timg@tpi.com>]

I've been thinking more about this scenario. When a standard distribution like 
SuSE-9.0 boots, the interfaces are  IFF_UP sometime before firewall rules are 
installed. This is particularly a problem in the case of a NAT router. Is 
there any way to flush /proc/net/ip_conntrack to make sure that you get rid 
of entries that were established between the time the interfaces were brought 
up and the time the rules were installed? Removing the ip_conntrack modules 
seems kind of brute force, and does not work on kernels where ip_conntrack is 
not a module.

rtg

On Sunday 16 November 2003 09:53, Tim Gardner wrote:
> Balazs,
>
> You are exactly correct. I swapped the interface creation statements with
> the iptables rules so that the rules were in place before any packets could
> be received from the interior net. In fact, I had to make sure that the
> interior net interface was down. Otherwise it would make an entry in
> ip_conntrack, regardless of the IP address of the interior interface.
>
> Thanks for your help.
>
> rtg
>
> On Sunday 16 November 2003 02:52, Balazs Scheidler wrote:
> > NAT mappings are established for NEW connections only, isn't it possible
> > that your client sent an NTP request while your rule was not yet
> > established? This means that it is entered the CONNTRACK table without
> > the NAT manip and anything that comes later is not NATed as it is not a
> > fresh CONNTRACK.
> >
> > Try filtering this traffic for 180secs and see it disappear from
> > /proc/net/ip_conntrack, then remove the filtering and check whether it
> > traversed the  nat/POSTROUTING chain.

-- 
Tim Gardner - timg@tpi.com
www.tpi.com 406-443-5357