DNATed packet not hitting FORWARD chain

DNATed packet not hitting FORWARD chain

[James]

Hi,

I'm having some trouble getting DNAT to work properly.  I have a gateway
machine that has two different connections to the Internet, on eth1 and
eth2.  I'm trying to allow inbound port 1723 to be forwarded to an internal
PPTP server through both interfaces.  It works on eth2, but not eth1.
Here's what I've got:

Chain PREROUTING (policy ACCEPT 217K packets, 15M bytes)
 pkts bytes target     prot opt in     out     source
destination
   15   744 DNAT       tcp  --  eth2   *       0.0.0.0/0            $DSL_IP
tcp dpt:1723 to:192.168.0.167:1723
  127  7152 DNAT       tcp  --  eth1   *       0.0.0.0/0
$CABLE_IP   tcp dpt:1723 to:192.168.0.165:1723

Chain FORWARD (policy DROP 6 packets, 360 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 LOG        all  --  *      *       0.0.0.0/0
192.168.0.165      LOG flags 0 level 4
 508K  306M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  eth1   eth0    0.0.0.0/0
192.168.0.165      state NEW
    1    60 ACCEPT     tcp  --  eth2   eth0    0.0.0.0/0
192.168.0.167      tcp dpt:1723 state NEW

As you can see from the counters, the packets coming in from both interfaces
are hitting the DNAT rules, and so they should be rewritten correctly.
Then, it would seem that the packets rewritten for 192.168.0.165 get lost in
space - I added the LOG target as the first rule of the FORWARD chain just
to be sure, and no packets ever hit that rule.  Packets rewritten for
192.168.0.167 work fine, they hit the FORWARD chain and are accepted.

I though it might be the routing, so I checked:

gw:/home/james# ip ro get 192.168.0.165
192.168.0.165 dev eth0  src 192.168.0.1
    cache  mtu 1500 advmss 1460

Packets for 192.168.0.165 should be routed out eth0, which is different than
the eth1 they came in on, so they should hit the FORWARD chain, right?  Any
ideas on where the packets are going, since they aren't making it to the
FORWARD chain?  Where else can I look?

(This is only a part of my iptables ruleset, but I don't think the other
rules matter, at least until the packets are being logged by the first rule
in the FORWARD chain.  Let me know if you think differently and want to see
the whole ruleset.)

Thanks,

James

Re: DNATed packet not hitting FORWARD chain

[primero]

James wrote:

>Hi,
>
>I'm having some trouble getting DNAT to work properly.  I have a gateway
>machine that has two different connections to the Internet, on eth1 and
>eth2.  I'm trying to allow inbound port 1723 to be forwarded to an internal
>PPTP server through both interfaces.  It works on eth2, but not eth1.
>Here's what I've got:
>
>  
>
Hi
I would try to check if packets arrives on .165 by tcpdump on this host. 
just to see if DNATTING and FORWARDING is done correctly, and it should 
be based on rules u showed us.

Then i would ask how do you deal with routing packets on your gw. I 
mean, if u receive the connection on eth2 and you DNAT and forward to 
.167 , the returning packets from .167 should be routed to the eth2 and 
exit the gw from that interface. The same for eth1 and .165

What about you routing settings on the gw? maybe u use eth2 as default 
route interface and also the packets that come back from .165 exits and 
are routed by eth2. this way you'll never get the SNAT rule associated 
to the previous DNAT rule matched and applied .

BTW this is just an idea ;)

bye
primero

Re: DNATed packet not hitting FORWARD chain

[primero]

James wrote:

>Hi,
>
>I'm having some trouble getting DNAT to work properly.  I have a gateway
>machine that has two different connections to the Internet, on eth1 and
>eth2.  I'm trying to allow inbound port 1723 to be forwarded to an internal
>PPTP server through both interfaces.  It works on eth2, but not eth1.
>Here's what I've got:
>
>  
>
Hi
I would try to check if packets arrives on .165 by tcpdump on this host.
just to see if DNATTING and FORWARDING is done correctly, and it should
be based on rules u showed us.

Then i would ask how do you deal with routing packets on your gw. I
mean, if u receive the connection on eth2 and you DNAT and forward to
.167 , the returning packets from .167 should be routed to the eth2 and
exit the gw from that interface. The same for eth1 and .165

What about you routing settings on the gw? maybe u use eth2 as default
route interface and also the packets that come back from .165 exits and
are routed by eth2. this way you'll never get the SNAT rule associated
to the previous DNAT rule matched and applied .

BTW this is just an idea ;)

bye
primero

Re: DNATed packet not hitting FORWARD chain

[Taso Hatzi]

James wrote:
> 
> I'm having some trouble getting DNAT to work properly.  I have a gateway
> machine that has two different connections to the Internet, on eth1 and
> eth2.  I'm trying to allow inbound port 1723 to be forwarded to an internal
> PPTP server through both interfaces.  It works on eth2, but not eth1.
> Here's what I've got:
> 


Last time I had packets disappear on me for no obvious reason it turned out to
be a MSS issue and was fixed by turning on MSS clamping in the appropriate
places.

RE: DNATed packet not hitting FORWARD chain

[James]

[-- Attachment #1: Type: text/plain, Size: 1696 bytes --]

> James wrote:
> 
> >Hi,
> >
> >I'm having some trouble getting DNAT to work properly.  I have a gateway
> >machine that has two different connections to the Internet, on eth1 and
> >eth2.  I'm trying to allow inbound port 1723 to be forwarded to an
> internal
> >PPTP server through both interfaces.  It works on eth2, but not eth1.
> >Here's what I've got:
> >
> >
> >
> Hi
> I would try to check if packets arrives on .165 by tcpdump on this host.
> just to see if DNATTING and FORWARDING is done correctly, and it should
> be based on rules u showed us.
 
Packets don't arrive on .165.  They don't even hit the FORWARD chain, they
disappear somewhere between nat PREROUTING and filter FORWARD.


> Then i would ask how do you deal with routing packets on your gw. I
> mean, if u receive the connection on eth2 and you DNAT and forward to
> .167 , the returning packets from .167 should be routed to the eth2 and
> exit the gw from that interface. The same for eth1 and .165
> 
> What about you routing settings on the gw? maybe u use eth2 as default
> route interface and also the packets that come back from .165 exits and
> are routed by eth2. this way you'll never get the SNAT rule associated
> to the previous DNAT rule matched and applied .

Well, that was it.  I added a routing rule to route packets from .165 out
eth1, and suddenly packets are making it to the FORWARD chain.

I guess that the Linux routing decision checks the return path for the
packet as well, and drops it if there isn't one.  Since there wasn't a
return route, the packet was dropped between nat PREROUTING and filter
FORWARD.

> 
> BTW this is just an idea ;)
> 
> bye
> primero

Thanks, it was a good idea.