NAT rules not clearing, delays in loading

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jeff Machesky <jeff@codebest.com>
To: netfilter@lists.netfilter.org
Subject: NAT rules not clearing,  delays in loading
Date: Fri, 24 Feb 2006 10:49:56 -0700	[thread overview]
Message-ID: <43FF4744.8040706@codebest.com> (raw)

I use to belong to this group once upon a time,  I stepped away for a while.

I've run in to a very strange problem that I hope someone can shed some 
light on.

Using Debian 3.1 I'm trying to do a DNS redirector.   The idea is 
clients using the DNS that have not been authorized will be directed to 
a login page,  once they log in iptables rules will be added to allow 
DNS to resolve normally.

Here is what I've got

The IP of the client (fake) in this case would be 24.158.18.72
The IP of the real DNS server is 10.1.1.2 (Internal LAN)
The IP of the pseudo  DNS server is 24.0.1.2 (fake) on eth0 and 
10.0.1.11 eth1 

iptables -t nat -A PREROUTING -s 24.158.18.72 -p udp -i eth0 --dport 53 
-j DNAT --to 10.0.1.2
iptables -t ant -A POSTROUTING -d 10.0.1.2 -o eth1 -p udp -m udp --dport 
53 -j SNAT --to-source 10.0.1.11

And of course I have forwarding set.

What this does is allow real DNS for client with the IP of 24.158.18.172 
and fake DNS (resolves all the same) for any other client. 

The above rules work,   Now for the problem.

When rule #1 is first put in place the packets do not start to route 
right away,  they often take up to a minute or so to take hold.  Once in 
a while I'll get lucky and the rule appears to take effect right away.  
This is verified by ethereal dumps.

The other problem,   after removing rule #1 or for that matter flushing 
the entire nat chain (iptables -t nat -F) the rules will keep working 
for several minutes.

I've tried this with iptables 1.2.xx and iptables 1.3.5 with kernel 
2.6.12 and kernel 2.6.15.4.   The rules work,  they just don't take hold 
right away or release right away.   This is so weird.

Linux version 2.6.15.4 (root@somewhere.com) (gcc version 3.3.5 (Debian 
1:3.3.5-13)) #2 SMP Thu Feb 23 14:31:04 MST 2006

filename:       
/lib/modules/2.6.15.4/kernel/net/ipv4/netfilter/iptable_nat.ko
license:        GPL
vermagic:       2.6.15.4 SMP PENTIUM4 gcc-3.3
depends:        ip_nat,ip_tables,ip_conntrack

Can anyone shed some light on this issue ?

Thanks,

Jeff

next             reply	other threads:[~2006-02-24 17:49 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-02-24 17:49 Jeff Machesky [this message]
2006-02-27  1:44 ` NAT rules not clearing, delays in loading Philip Craig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43FF4744.8040706@codebest.com \
    --to=jeff@codebest.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.