From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?ISO-8859-1?Q?BERTRAND_Jo=EBl?= <joel.bertrand@systella.fr>
Date: Mon, 07 May 2007 11:57:11 +0000
Subject: [2.6.21.1] Nat trouble
Message-Id: <463F1417.80409@systella.fr>
List-Id: <sparclinux.vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
To: sparclinux@vger.kernel.org

	Hello,

	I have built a 2.6.21.1 kernel to replace a working 2.6.20 on an=20
U60/SMP. NAT (iptables) worked fine with 2.6.20 but not with 2.6.21.1.=20
That being said, all other iptables rules seem to works fine with 2.6.21.1.

My /var/lib/iptables/active script :

# Generated by iptables-save v1.2.11 on Sat Jan 22 20:25:31 2005
*filter
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# Par d=E9faut, tout est rejet=
=E9 sauf sur l'interface loopback
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
:INPUT DROP [28:3300]
:FORWARD DROP [0:0]
:OUTPUT DROP [27:3120]
[0:0] -A INPUT -i lo -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# Tout ce qui provient du LAN =
est accept=E9.
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A INPUT -i eth0 -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# Protocoles provenant de l'in=
terface WAN rayleigh.
# ftp, ssh, smtp, http, ntp, https, imaps, pop3s, cvs, jabber
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth1 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 993 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 995 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 2401 -j ACCEPT
[0:0] -A INPUT -i eth1 -p udp -m udp --dport 2401 -j ACCEPT
[0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 5222 -j ACCEPT
[0:0] -A INPUT -i eth1 -p icmp -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# Protocoles provenant de l'in=
terface WAN newton.
# ssh, ntp, smtp
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 25 -j ACCEPT
[0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth2 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A INPUT -i eth2 -p icmp -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# R=E9ceptions inconditionnell=
es
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -m state --state INVALID -j DROP
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# Transmission du LAN vers l'i=
nterface WAN rayleigh (route par d=E9faut).
# ftp, ssh, http, pop3, nntp, https, imaps, pop3s, openvpn, cvs,
# 3000:3001 (jcollab)
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 43 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 110 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 119 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 993 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 1194 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 1194 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 2401 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 2401 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3000:3001 -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5900 -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# De l'interface WAN rayleigh =
Vers les machines du /29.
# ssh
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp --dport 22 -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# De l'interface WAN rayleigh =
vers lebegue.
# 3000:3001 (jcollab), mysql
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.81 --dport=20
80 -j ACCEPT
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.81 --dport=20
3000:3001 -j ACCEPT
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.81 --dport=20
3306 -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# De l'interface WAN rayleigh =
vers fermat.
# smtp, http
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.83 --dport=20
25 -j ACCEPT
[0:0] -A FORWARD -i eth1 -o eth0 -p tcp -m tcp -d 192.168.0.83 --dport=20
80 -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# De fermat vers l'interface W=
AN newton.
# smtp
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A FORWARD -i eth0 -o eth2 -p tcp -m tcp -s 192.168.0.83 --dport=20
25 -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# De fermat vers l'interface W=
AN rayleigh.
# smtp
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A FORWARD -i eth0 -o eth1 -p tcp -m tcp -s 192.168.0.83 --dport=20
3307 -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# Transmissions inconditionnel=
les
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A FORWARD -p icmp -j ACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -m state --state INVALID -j DROP
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# =C9missions autoris=E9es sur=
 les interfaces LAN et loopback
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -o eth0 -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# =C9missions autoris=E9es sur=
 l'interface WAN rayleigh
# ftp, ssh, telnet, smtp, whois, domain, http, pop3, nntp, ntp, https, cvs
# 3000:3001 (jcollab), mysql, 8080 (servlet jcollab)
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 23 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 25 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 43 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 110 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 119 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 123 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 554 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 2401 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p udp -m udp --dport 2401 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 3000 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 3001 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 3306 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A OUTPUT -o eth1 -p icmp -j ACCEPT
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# =C9missions autoris=E9es sur=
 l'interface WAN newton
# telnet, ntp
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A OUTPUT -o eth2 -p tcp -m tcp --dport 23 -j ACCEPT
[0:0] -A OUTPUT -o eth2 -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A OUTPUT -o eth2 -p tcp -m tcp --dport 123 -j ACCEPT
[0:0] -A OUTPUT -o eth2 -p udp -m udp --dport 123 -j ACCEPT
[0:0] -A OUTPUT -o eth2 -p icmp -j ACCEPT
[0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -m state --state INVALID -j DROP
COMMIT
# Completed on Sat Jan 22 20:25:31 2005
# Generated by iptables-save v1.2.11 on Sat Jan 22 20:25:31 2005
*nat
:PREROUTING ACCEPT [2:156]
:POSTROUTING ACCEPT [4:377]
:OUTPUT ACCEPT [0:0]
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# NAT de tout ce qui provient =
de l'interface LAN
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#
#
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D# Force le routage des paquets=
 =E0 destination du port 25 provenant de fermat
# vers l'interface WAN newton
#=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D#
[0:0] -A PREROUTING -s 192.168.0.83 -p tcp -m tcp --dport 25 -jMARK=20
--set-mark 1
COMMIT
# Completed on Sat Jan 22 20:25:31 2005

	eth1 and eth2 are WAN interfaces, eth0 is LAN. All options required for=20
iptables have been built as modules. Configurations of both 2.6.20 and=20
2.6.21.1 are the same.

	Regards,

	JKB