Re: Packets that should have been DNATted appearing in INPUT table

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael Gale <michael.gale@utilitran.com>
To: Marius Mertens <marius.mertens@gmx.de>, netfilter@lists.netfilter.org
Subject: Re: Packets that should have been DNATted appearing in INPUT table
Date: Fri, 07 Jan 2005 13:08:56 -0700	[thread overview]
Message-ID: <41DEEC58.2020504@utilitran.com> (raw)
In-Reply-To: <008001c4f40f$a6fde380$4206a8c0@loki>

Hello,

	I believe you are misunderstanding what is happening, your rule:

iptables -A INPUT -i ppp0 -p tcp --dport 4664 -j DROP

Should not affect packets you are forwarding, because those packets from 
outside that are being sent to a internal machine should be matched 
against the FORWARD and not the INPUT.

So some where packets are not matching the PREROUTING rule, either you 
have a rule above that is causing some packets to be accept before they 
reach the PREROUTING rule.

You could to a iptables -t nat -vnL and iptables -vnL and provide the 
out put. Plus if you are running test where are you running them from ?

Michael.




Marius Mertens wrote:
> On Thursday, January 06, 2005 4:55 PM,
> Jason Opperisano wrote:
> 
>> does your DNAT work or not?
> 
> 
> Thats what I find most weird: For about 95% of the packets it indeed 
> does work, but some of the packets seem to be ignored by the DNAT rule 
> added to PREROUTING. The relevant parts of iptables' rules list output are:
> 
> Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
> pkts bytes target     prot opt in     out     source destination
>  178 17537 ACCEPT     all  --  lo     any     anywhere             anywhere
> 1012 63664 DROP       tcp  --  ppp0   any     anywhere             
> anywhere tcp dpt:4664
> [...]
> 
> and
> 
> Chain PREROUTING (policy ACCEPT 333K packets, 17M bytes)
> pkts bytes target     prot opt in     out     source destination
> 26615 1336K DNAT       tcp  --  ppp0   any     anywhere             
> anywhere tcp dpt:4664 to:192.168.6.10
> [...]
> 
> So from the users point of view I would not have even noticed it, as 
> applications work as expected. So the user would say, my DNAT does work. 
> But looking at the packet counters I would like to understand what is 
> happening, because my aim was to have every single packet going to 
> specific ports being redirected to another box. As already mentioned, I 
> believe the packet counter of the above drop rule should be zero, 
> because all packets matching this rule should already have matched DNAT 
> in PREROUTING and therefore never enter INPUT. From that point of view 
> (at least for some packets) I have to say, that DNAT does not work.
> 
> If there is more information I can provide to narrow down the problem, 
> please let me know. And thanks again for your help,
> 
> Marius
> 

-- 
Michael Gale
Lan Administrator
Utilitran Corp.

I make better friends with those who think for them selves

next prev parent reply	other threads:[~2005-01-07 20:08 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-01-05 18:00 Packets that should have been DNATted appearing in INPUT table Marius Mertens
2005-01-06 15:55 ` Jason Opperisano
2005-01-06 16:49   ` Marius Mertens
2005-01-07 20:08     ` Michael Gale [this message]
2005-01-08  0:43       ` Marius Mertens
2005-01-11  0:27         ` R. DuFresne
2005-01-11 15:03           ` Marius Mertens
2005-01-11 16:29             ` Jason Opperisano
2005-01-11 18:15               ` Marius Mertens
2005-01-11 18:16               ` R. DuFresne
2005-01-11 18:33                 ` Marius Mertens

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=41DEEC58.2020504@utilitran.com \
    --to=michael.gale@utilitran.com \
    --cc=marius.mertens@gmx.de \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.