Re: Ramdom NAT drop

[Mart Frauenlob <mart.frauenlob@chello.at>]

Gary Smith wrote:
>> I would also expect to see this, but I don't think the packet is even
>> making it to the filter section.  I have logging for anything dropped
>> and yet nothing is coming in from originating IP's that are affected.
>> I will probably do something painful and put more logging in the chains
>> to see if I can better catch the problem.  The only issue I have is
>> that the problem is random.
>>
>> I will definitely look for that though.
>>     
>
>
> Included is the rule that I think is being randomly ignored.  
>
> -A PREROUTING -d 208.46.23.38 -j DNAT --to-destination 10.80.65.38
>
> This is in effect.  So I believe that I should never see a hit in the INPUT chain for this rule since all requests are being forwarded to the 10.80.65.38 IP address.  Only 10.80.0.0/16 are local.  
>
> I expcted to see this rule as the forward is indeed happening (basically we logged all traffic prior to this rule to generate the hit:
>
> Oct 21 13:33:35 hsoakfiw01c kernel: FW-F-443: IN=eth1 OUT=eth0 SRC=116.250.48.135 DST=10.80.65.38 LEN=1050 TOS=0x00 PREC=0x00 TTL=102 ID=30940 DF PROTO=TCP SPT=2374 DPT=80 WINDOW=32768 RES=0x00 ACK PSH URGP=0
>
> The INPUT catch had a rule to log all traffic coming in as well, which is where we picked up this hit:
>
> Oct 21 13:31:01 hsoakfiw01c kernel: FW-I: IN=eth1 OUT= MAC=00:0c:29:9c:88:9b:00:13:c3:d7:a3:68:08:00 SRC=189.162.111.146 DST=208.46.23.38 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=16396 DF PROTO=TCP SPT=3552 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0 
>
> So, am I wrong in thinking that external traffic forwarded in via NAT should never hit the INPUT chain and go straight to FORWARD chain, or is my problem something else completely?
>
>
>   
 From a request few days ago 'Re: FIN packets not getting NAT-ed', 
Pascal Hambourg answered:

Dhyanesh Ramaiya a écrit :

> > 
> > I have setup a Linux firewall on the edge of the network and doing SNAT for
> > internal IPs. When I sniff on external interface for internal source IPs,I
> > am seeing FIN packets from internal IPs going out without being NAT-ed.
>   
> These packets are probably classified in the INVALID state by the
> connection tracking. Such packets are ignored by the NAT. A reason may
> be that they belong to old connections the connection tracking has
> forgotten about or considers already closed.
>
> Does your rulest DROP outgoing packets in the INVALID state ?

Maybe it's the same thing just with DNAT at your end.