Re: NAT problem with iptables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: NAT problem with iptables
Date: Sun, 07 Oct 2007 22:32:21 +0200	[thread overview]
Message-ID: <47094255.1040101@plouf.fr.eu.org> (raw)
In-Reply-To: <47093D17.4010206@may.be>

Cliff Stanford a écrit :
> 
> Pascal Hambourg wrote:
> 
>>A possible explanation may be the following.
>>The remote box sends a continuous stream of UDP packets. The first 
>>packet was received before the ruleset was installed but after the 
>>conntrack was loaded, so a conntrack entry was created with no NAT, and 
>>does not expire because of the continuous stream.
> 
> Thank you!  You hit the nail right on the head!
> 
>>Clear the conntrack table by any means and see what happens.
> 
> I cleared it with conntrack -F and you were absolutely right.  It's now
> working as expected.

In order to avoid this, the iptables ruleset must preferably be 
installed before the network interfaces are UP and some traffic is sent 
or received.

> I knew it had to be my naivety but I couldn't see
> what I was doing wrong.

It has nothing to do with naivety. Your ruleset was correct. I believe 
this kind of problem requires fair knowledge and understanding of how 
Netfilter performs connection tracking and its side effects. Fortunately 
you provided enough information, which not everyone does all the time.

> Out of interest, I can't seem to find a syntax that conntrack -D likes;
> is there a tutorial for it anywhere or any docs better than the man page?

I have never used conntrack and cannot help you on this, sorry.

next prev parent reply	other threads:[~2007-10-07 20:32 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-07 17:19 NAT problem with iptables Cliff Stanford
2007-10-07 19:26 ` Pascal Hambourg
2007-10-07 20:09   ` Cliff Stanford
2007-10-07 20:32     ` Pascal Hambourg [this message]
  -- strict thread matches above, loose matches on Subject: below --
2002-09-11 14:43 Marian Stepka
2002-09-11 17:40 ` Antony Stone
     [not found]   ` <3D7FE077.EEE22CE@itdimensions.com>
2002-09-12  9:51     ` Antony Stone

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47094255.1040101@plouf.fr.eu.org \
    --to=pascal.mail@plouf.fr.eu.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.