* Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
@ 2003-10-23 0:58 Evan Harris
2003-10-23 2:37 ` Patrick McHardy
2003-10-23 17:09 ` Henrik Nordstrom
0 siblings, 2 replies; 12+ messages in thread
From: Evan Harris @ 2003-10-23 0:58 UTC (permalink / raw)
To: netfilter; +Cc: netfilter-devel
I'm trying to setup a linux kernel box that is on an ip-ip vpn tunnel, and
want to DNAT all traffic (except the tunnel payload packets) for the "real"
ip of the other tunnel endpoint to go to its in-tunnel endpoint (so they are
properly encrypted).
The machine in question has a default route going to the tunnel device
(tun0), and a host specific route going out a different device (wlan0) so
the tunnel datagrams can get to the tunnel server.
After setting up the output DNAT, it is correctly rewriting the packets to
go to the in tunnel address. However, after the rewrite, the kernel is
disregarding the routing that says that packets to the in-tunnel address
should go to the tun0 device, and instead is trying to send them out the
original device the packets would have gone out if they had not been
dnat'ed (wlan0).
According to the documentation for iptables, it appears that the OUTPUT
chain on the nat table should happen before the routing decision is made,
but that appears to not be the case. Is this a bug, or are the docs wrong?
And if the docs are wrong, what is the correct way to accomplish this?
I am using a stock linux kernel 2.4.20, with iptables 1.2.8.
Evan
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
2003-10-23 0:58 Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd) Evan Harris
@ 2003-10-23 2:37 ` Patrick McHardy
2003-10-23 16:30 ` Evan Harris
2003-10-23 17:09 ` Henrik Nordstrom
1 sibling, 1 reply; 12+ messages in thread
From: Patrick McHardy @ 2003-10-23 2:37 UTC (permalink / raw)
To: Evan Harris; +Cc: netfilter, netfilter-devel
Evan Harris wrote:
>I am using a stock linux kernel 2.4.20, with iptables 1.2.8.
>
>
>
Try 2.4.22 first, there were countless changes, some related to
routing.
Best regards,
Patrick
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
2003-10-23 2:37 ` Patrick McHardy
@ 2003-10-23 16:30 ` Evan Harris
0 siblings, 0 replies; 12+ messages in thread
From: Evan Harris @ 2003-10-23 16:30 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter, netfilter-devel
Ok, I've upgraded to kernel 2.4.22, and the same behaviour is being
exhibited.
To recap the problem:
Packets being nat'd on the OUTPUT chain of a machine are still being sent on
the same interface they would have without the nat, and ignoring the route
that aims them to the right iface for that dest addr.
Evan
On Thu, 23 Oct 2003, Patrick McHardy wrote:
> Evan Harris wrote:
>
> >I am using a stock linux kernel 2.4.20, with iptables 1.2.8.
> >
> >
> >
> Try 2.4.22 first, there were countless changes, some related to
> routing.
>
> Best regards,
> Patrick
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
@ 2003-10-23 16:30 ` Evan Harris
0 siblings, 0 replies; 12+ messages in thread
From: Evan Harris @ 2003-10-23 16:30 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter, netfilter-devel
Ok, I've upgraded to kernel 2.4.22, and the same behaviour is being
exhibited.
To recap the problem:
Packets being nat'd on the OUTPUT chain of a machine are still being sent on
the same interface they would have without the nat, and ignoring the route
that aims them to the right iface for that dest addr.
Evan
On Thu, 23 Oct 2003, Patrick McHardy wrote:
> Evan Harris wrote:
>
> >I am using a stock linux kernel 2.4.20, with iptables 1.2.8.
> >
> >
> >
> Try 2.4.22 first, there were countless changes, some related to
> routing.
>
> Best regards,
> Patrick
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
2003-10-23 16:30 ` Evan Harris
(?)
@ 2003-10-23 17:16 ` Patrick McHardy
2003-10-23 18:25 ` Evan Harris
-1 siblings, 1 reply; 12+ messages in thread
From: Patrick McHardy @ 2003-10-23 17:16 UTC (permalink / raw)
To: Evan Harris; +Cc: netfilter, netfilter-devel
I tried 2.4 and 2.6 with DNAT to 127.0.0.1. The packets were sent on the
loopback device as expected. Please send some more information about
your specific setup.
Best regards,
Patrick
Evan Harris wrote:
>Ok, I've upgraded to kernel 2.4.22, and the same behaviour is being
>exhibited.
>
>To recap the problem:
>
>Packets being nat'd on the OUTPUT chain of a machine are still being sent on
>the same interface they would have without the nat, and ignoring the route
>that aims them to the right iface for that dest addr.
>
>Evan
>
>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
2003-10-23 17:16 ` Patrick McHardy
@ 2003-10-23 18:25 ` Evan Harris
0 siblings, 0 replies; 12+ messages in thread
From: Evan Harris @ 2003-10-23 18:25 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter, netfilter-devel
Debian kernel-image-2.4.22 built from source from 2.4.22-3.
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:D0:C9:17:65:93
inet addr:10.1.16.2 Bcast:10.1.16.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:10
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1060 (1.0 KiB) TX bytes:1060 (1.0 KiB)
tun0 Link encap:Point-to-Point Protocol
inet addr:172.31.255.16 P-t-P:172.31.255.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1255 Metric:1
RX packets:282 errors:0 dropped:0 overruns:0 frame:0
TX packets:172 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:14982 (14.6 KiB) TX bytes:12326 (12.0 KiB)
wlan0 Link encap:Ethernet HWaddr 00:02:6F:03:AE:8C
inet addr:172.31.100.10 Bcast:172.31.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1742 errors:0 dropped:0 overruns:0 frame:0
TX packets:2368 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:204216 (199.4 KiB) TX bytes:169780 (165.8 KiB)
Interrupt:3 Base address:0x100
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.100.100.101 172.31.100.1 255.255.255.255 UGH 0 0 0 wlan0
172.31.255.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.31.100.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
10.1.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 172.31.255.1 0.0.0.0 UG 0 0 0 tun0
# iptables -V
iptables v1.2.8
# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 4 packets, 770 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 88 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 88 ACCEPT udp -- * * 0.0.0.0/0 10.100.100.101 udp spt:49900 dpts:49900:49999
6 398 DNAT udp -- * * 0.0.0.0/0 10.100.100.101 to:172.31.255.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.100.100.101 to:172.31.255.1
# iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 191 packets, 13084 bytes)
pkts bytes target prot opt in out source destination
203 26024 ACCEPT udp -- any wlan0 anywhere anywhere udp spt:49900
0 0 ACCEPT udp -- any wlan0 anywhere anywhere udp spt:bootpc dpt:bootps
0 0 ACCEPT icmp -- any wlan0 anywhere anywhere
6 398 LOG all -- any wlan0 anywhere anywhere LOG level warning
6 398 DROP all -- any wlan0 anywhere anywhere
Attempting an nslookup to the nameserver on 10.100.100.101, which is
DNAT'ed to 172.31.255.1 produces these from the wlan0 LOG rule:
IN= OUT=wlan0 SRC=172.31.255.16 DST=172.31.255.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=31034 DF PROTO=UDP SPT=1024 DPT=53 LEN=45
IN= OUT=wlan0 SRC=172.31.255.16 DST=172.31.255.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=31034 DF PROTO=UDP SPT=1024 DPT=53 LEN=45
...
Networking and Netfilter sections from kernel config:
#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
CONFIG_NETLINK_DEV=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_FILTER=y
CONFIG_UNIX=y
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_FWMARK is not set
CONFIG_IP_ROUTE_NAT=y
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_TOS is not set
# CONFIG_IP_ROUTE_VERBOSE is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_LIMIT is not set
# CONFIG_IP_NF_MATCH_MAC is not set
# CONFIG_IP_NF_MATCH_PKTTYPE is not set
# CONFIG_IP_NF_MATCH_MARK is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
# CONFIG_IP_NF_MATCH_LENGTH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_TCPMSS is not set
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_LOCAL=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_FTP=y
# CONFIG_IP_NF_MANGLE is not set
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=y
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IPV6 is not set
CONFIG_XFRM=y
# CONFIG_XFRM_USER is not set
# CONFIG_KHTTPD is not set
# CONFIG_ATM is not set
# CONFIG_VLAN_8021Q is not set
Evan
On Thu, 23 Oct 2003, Patrick McHardy wrote:
> I tried 2.4 and 2.6 with DNAT to 127.0.0.1. The packets were sent on the
> loopback device as expected. Please send some more information about
> your specific setup.
>
> Best regards,
> Patrick
>
> Evan Harris wrote:
>
> >Ok, I've upgraded to kernel 2.4.22, and the same behaviour is being
> >exhibited.
> >
> >To recap the problem:
> >
> >Packets being nat'd on the OUTPUT chain of a machine are still being sent on
> >the same interface they would have without the nat, and ignoring the route
> >that aims them to the right iface for that dest addr.
> >
> >Evan
> >
> >
> >
> >
>
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
@ 2003-10-23 18:25 ` Evan Harris
0 siblings, 0 replies; 12+ messages in thread
From: Evan Harris @ 2003-10-23 18:25 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter, netfilter-devel
Debian kernel-image-2.4.22 built from source from 2.4.22-3.
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:D0:C9:17:65:93
inet addr:10.1.16.2 Bcast:10.1.16.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:10
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1060 (1.0 KiB) TX bytes:1060 (1.0 KiB)
tun0 Link encap:Point-to-Point Protocol
inet addr:172.31.255.16 P-t-P:172.31.255.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1255 Metric:1
RX packets:282 errors:0 dropped:0 overruns:0 frame:0
TX packets:172 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:14982 (14.6 KiB) TX bytes:12326 (12.0 KiB)
wlan0 Link encap:Ethernet HWaddr 00:02:6F:03:AE:8C
inet addr:172.31.100.10 Bcast:172.31.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1742 errors:0 dropped:0 overruns:0 frame:0
TX packets:2368 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:204216 (199.4 KiB) TX bytes:169780 (165.8 KiB)
Interrupt:3 Base address:0x100
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.100.100.101 172.31.100.1 255.255.255.255 UGH 0 0 0 wlan0
172.31.255.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.31.100.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
10.1.16.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 172.31.255.1 0.0.0.0 UG 0 0 0 tun0
# iptables -V
iptables v1.2.8
# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 4 packets, 770 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 88 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 88 ACCEPT udp -- * * 0.0.0.0/0 10.100.100.101 udp spt:49900 dpts:49900:49999
6 398 DNAT udp -- * * 0.0.0.0/0 10.100.100.101 to:172.31.255.1
0 0 DNAT tcp -- * * 0.0.0.0/0 10.100.100.101 to:172.31.255.1
# iptables -L OUTPUT -v
Chain OUTPUT (policy ACCEPT 191 packets, 13084 bytes)
pkts bytes target prot opt in out source destination
203 26024 ACCEPT udp -- any wlan0 anywhere anywhere udp spt:49900
0 0 ACCEPT udp -- any wlan0 anywhere anywhere udp spt:bootpc dpt:bootps
0 0 ACCEPT icmp -- any wlan0 anywhere anywhere
6 398 LOG all -- any wlan0 anywhere anywhere LOG level warning
6 398 DROP all -- any wlan0 anywhere anywhere
Attempting an nslookup to the nameserver on 10.100.100.101, which is
DNAT'ed to 172.31.255.1 produces these from the wlan0 LOG rule:
IN= OUT=wlan0 SRC=172.31.255.16 DST=172.31.255.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=31034 DF PROTO=UDP SPT=1024 DPT=53 LEN=45
IN= OUT=wlan0 SRC=172.31.255.16 DST=172.31.255.1 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=31034 DF PROTO=UDP SPT=1024 DPT=53 LEN=45
...
Networking and Netfilter sections from kernel config:
#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
CONFIG_NETLINK_DEV=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_FILTER=y
CONFIG_UNIX=y
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_IP_ROUTE_FWMARK is not set
CONFIG_IP_ROUTE_NAT=y
# CONFIG_IP_ROUTE_MULTIPATH is not set
# CONFIG_IP_ROUTE_TOS is not set
# CONFIG_IP_ROUTE_VERBOSE is not set
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
# CONFIG_INET_ECN is not set
# CONFIG_SYN_COOKIES is not set
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_LIMIT is not set
# CONFIG_IP_NF_MATCH_MAC is not set
# CONFIG_IP_NF_MATCH_PKTTYPE is not set
# CONFIG_IP_NF_MATCH_MARK is not set
# CONFIG_IP_NF_MATCH_MULTIPORT is not set
# CONFIG_IP_NF_MATCH_TOS is not set
# CONFIG_IP_NF_MATCH_RECENT is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_DSCP is not set
# CONFIG_IP_NF_MATCH_AH_ESP is not set
# CONFIG_IP_NF_MATCH_LENGTH is not set
# CONFIG_IP_NF_MATCH_TTL is not set
# CONFIG_IP_NF_MATCH_TCPMSS is not set
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_NAT_LOCAL=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_FTP=y
# CONFIG_IP_NF_MANGLE is not set
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=y
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IPV6 is not set
CONFIG_XFRM=y
# CONFIG_XFRM_USER is not set
# CONFIG_KHTTPD is not set
# CONFIG_ATM is not set
# CONFIG_VLAN_8021Q is not set
Evan
On Thu, 23 Oct 2003, Patrick McHardy wrote:
> I tried 2.4 and 2.6 with DNAT to 127.0.0.1. The packets were sent on the
> loopback device as expected. Please send some more information about
> your specific setup.
>
> Best regards,
> Patrick
>
> Evan Harris wrote:
>
> >Ok, I've upgraded to kernel 2.4.22, and the same behaviour is being
> >exhibited.
> >
> >To recap the problem:
> >
> >Packets being nat'd on the OUTPUT chain of a machine are still being sent on
> >the same interface they would have without the nat, and ignoring the route
> >that aims them to the right iface for that dest addr.
> >
> >Evan
> >
> >
> >
> >
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
2003-10-23 16:30 ` Evan Harris
(?)
(?)
@ 2003-10-23 17:29 ` Jeffrey Laramie
2003-10-28 13:44 ` Evan Harris
-1 siblings, 1 reply; 12+ messages in thread
From: Jeffrey Laramie @ 2003-10-23 17:29 UTC (permalink / raw)
To: netfilter, netfilter-devel
Evan Harris wrote:
>Ok, I've upgraded to kernel 2.4.22, and the same behaviour is being
>exhibited.
>
>To recap the problem:
>
>Packets being nat'd on the OUTPUT chain of a machine are still being sent on
>the same interface they would have without the nat, and ignoring the route
>that aims them to the right iface for that dest addr.
>
>Evan
>
>
>
I haven't seen the rest of this thread, so I may have missed something,
but why are you doing DNAT on the nat OUTPUT chain? DNAT is usually done
on the nat PREROUTING chain and SNAT on the POSTROUTING chain. Anything
done in filter OUTPUT, mangle POSTROUTING, or nat POSTROUTING could
change the direction of your packets before they leave your host.
Jeff
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
2003-10-23 17:29 ` Jeffrey Laramie
@ 2003-10-28 13:44 ` Evan Harris
0 siblings, 0 replies; 12+ messages in thread
From: Evan Harris @ 2003-10-28 13:44 UTC (permalink / raw)
To: Jeffrey Laramie; +Cc: netfilter, netfilter-devel
The PREROUTING chain is only traversed for packets being forwarded through a
host, not locally generated connections. According to the docs, in order to
DNAT local conns, it must be done in the OUTPUT chain.
Evan
On Thu, 23 Oct 2003, Jeffrey Laramie wrote:
> Evan Harris wrote:
>
> >Ok, I've upgraded to kernel 2.4.22, and the same behaviour is being
> >exhibited.
> >
> >To recap the problem:
> >
> >Packets being nat'd on the OUTPUT chain of a machine are still being sent on
> >the same interface they would have without the nat, and ignoring the route
> >that aims them to the right iface for that dest addr.
> >
> >Evan
> >
> >
> >
>
> I haven't seen the rest of this thread, so I may have missed something,
> but why are you doing DNAT on the nat OUTPUT chain? DNAT is usually done
> on the nat PREROUTING chain and SNAT on the POSTROUTING chain. Anything
> done in filter OUTPUT, mangle POSTROUTING, or nat POSTROUTING could
> change the direction of your packets before they leave your host.
>
> Jeff
>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
@ 2003-10-28 13:44 ` Evan Harris
0 siblings, 0 replies; 12+ messages in thread
From: Evan Harris @ 2003-10-28 13:44 UTC (permalink / raw)
To: Jeffrey Laramie; +Cc: netfilter, netfilter-devel
The PREROUTING chain is only traversed for packets being forwarded through a
host, not locally generated connections. According to the docs, in order to
DNAT local conns, it must be done in the OUTPUT chain.
Evan
On Thu, 23 Oct 2003, Jeffrey Laramie wrote:
> Evan Harris wrote:
>
> >Ok, I've upgraded to kernel 2.4.22, and the same behaviour is being
> >exhibited.
> >
> >To recap the problem:
> >
> >Packets being nat'd on the OUTPUT chain of a machine are still being sent on
> >the same interface they would have without the nat, and ignoring the route
> >that aims them to the right iface for that dest addr.
> >
> >Evan
> >
> >
> >
>
> I haven't seen the rest of this thread, so I may have missed something,
> but why are you doing DNAT on the nat OUTPUT chain? DNAT is usually done
> on the nat PREROUTING chain and SNAT on the POSTROUTING chain. Anything
> done in filter OUTPUT, mangle POSTROUTING, or nat POSTROUTING could
> change the direction of your packets before they leave your host.
>
> Jeff
>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
2003-10-23 0:58 Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd) Evan Harris
@ 2003-10-23 17:09 ` Henrik Nordstrom
2003-10-23 17:09 ` Henrik Nordstrom
1 sibling, 0 replies; 12+ messages in thread
From: Henrik Nordstrom @ 2003-10-23 17:09 UTC (permalink / raw)
To: Evan Harris; +Cc: netfilter, netfilter-devel
On Wed, 22 Oct 2003, Evan Harris wrote:
> According to the documentation for iptables, it appears that the OUTPUT
> chain on the nat table should happen before the routing decision is made,
> but that appears to not be the case. Is this a bug, or are the docs wrong?
> And if the docs are wrong, what is the correct way to accomplish this?
>
> I am using a stock linux kernel 2.4.20, with iptables 1.2.8.
Is your kernel patched with p-o-m from iptables 1.2.8, or is it really a
stock 2.4.20 kernel without any patches?
You might want to try upgrading with at least the current p-o-m patches..
there has been numerous fixes to NAT of local traffic not too long ago.
Also make sure you have the kernel option for NAT of local traffic
enabled.
Regards
Henrik
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd)
@ 2003-10-23 17:09 ` Henrik Nordstrom
0 siblings, 0 replies; 12+ messages in thread
From: Henrik Nordstrom @ 2003-10-23 17:09 UTC (permalink / raw)
To: Evan Harris; +Cc: netfilter, netfilter-devel
On Wed, 22 Oct 2003, Evan Harris wrote:
> According to the documentation for iptables, it appears that the OUTPUT
> chain on the nat table should happen before the routing decision is made,
> but that appears to not be the case. Is this a bug, or are the docs wrong?
> And if the docs are wrong, what is the correct way to accomplish this?
>
> I am using a stock linux kernel 2.4.20, with iptables 1.2.8.
Is your kernel patched with p-o-m from iptables 1.2.8, or is it really a
stock 2.4.20 kernel without any patches?
You might want to try upgrading with at least the current p-o-m patches..
there has been numerous fixes to NAT of local traffic not too long ago.
Also make sure you have the kernel option for NAT of local traffic
enabled.
Regards
Henrik
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2003-10-28 13:44 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-23 0:58 Bug/Problem with DNAT on OUTPUT chain (-t nat -A OUTPUT) that breaks routing? (fwd) Evan Harris
2003-10-23 2:37 ` Patrick McHardy
2003-10-23 16:30 ` Evan Harris
2003-10-23 16:30 ` Evan Harris
2003-10-23 17:16 ` Patrick McHardy
2003-10-23 18:25 ` Evan Harris
2003-10-23 18:25 ` Evan Harris
2003-10-23 17:29 ` Jeffrey Laramie
2003-10-28 13:44 ` Evan Harris
2003-10-28 13:44 ` Evan Harris
2003-10-23 17:09 ` Henrik Nordstrom
2003-10-23 17:09 ` Henrik Nordstrom
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.