From: Dion Kant <msn@concero.nl>
To: netfilter@vger.kernel.org
Subject: Packets ending up in wrong chain after DNAT
Date: Tue, 02 Mar 2010 02:29:35 +0100 [thread overview]
Message-ID: <4B8C69FF.7050400@concero.nl> (raw)
I have a DNAT to an address behind the box, like this
Chain PREROUTING (policy ACCEPT 743K packets, 49M bytes)
pkts bytes target prot opt in out source
destination
1572 94320 DNAT tcp -- eth2 * 1.1.1.1
0.0.0.0/0 tcp dpt:25 to:172.20.8.217
I expect to see all packets from source 1.1.1.1 to tcp/25 ending up
exclusively in the FORWARD chain. However a fraction of these packets
end up in both FORWARD and INPUT chains.
The following log lines show the problem:
Mar 2 02:03:50 erouter kernel: [527920.547039] LOG 25 Correct IN=eth2
OUT=eth0 SRC=1.1.1.1 DST=172.20.8.217 LEN=60 TOS=0x00 PREC=0x00 TTL=48
ID=6919 DF PROTO=TCP SPT=53800 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 2 02:03:55 erouter kernel: [527925.562582] LOG 25 Correct IN=eth2
OUT=eth0 SRC=1.1.1.1 DST=172.20.8.217 LEN=60 TOS=0x00 PREC=0x00 TTL=48
ID=26610 DF PROTO=TCP SPT=53803 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 2 02:03:55 erouter kernel: [527925.765439] LOG 25 Wrong IN=eth2
OUT= MAC=00:16:3e:78:4a:72:00:1d:45:8a:1b:2e:08:00 SRC=1.1.1.1
DST=2.2.2.2 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=53803
DPT=25 WINDOW=0 RES=0x00 RST URGP=0
The first entry is fine. The next two lines show the problem. The second
line comes from the FORWARD chain and a fraction later in time, another
entry is logged in the INPUT chain. Note the different LEN and other
values in the last log line.
I used the following to create the log lines (addresses are fake)
IPTABLES=/usr/sbin/iptables
xs1=eth2
lan=eth0
$IPTABLES -t nat -A PREROUTING -i $xs1 -p tcp -s 1.1.1.1 --dport 25 -j
DNAT --to-destination 172.20.8.217
$IPTABLES -N inet-fw
$IPTABLES -A INPUT -i $xs1 -j inet-fw
$IPTABLES -A inet-fw -p tcp --dport 25 -j LOG --log-prefix 'LOG 25 Wrong '
$IPTABLES -N inet-lan
$IPTABLES -A FORWARD -i $xs1 -o $lan -j inet-lan
$IPTABLES -A inet-lan -p tcp --dport 25 -j LOG --log-prefix 'LOG 25
Correct '
I see this problem running openSUSE 11.2 with there kernel
Linux erouter 2.6.31.12-0.1-xen #1 SMP 2010-01-27 08:20:11 +0100 i686
i686 i386 GNU/Linux
running on a Xen domU. I cannot remember I have seen this behaviour
before. Does someone have a clue?
Dion.
next reply other threads:[~2010-03-02 1:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-02 1:29 Dion Kant [this message]
2010-03-02 8:43 ` Packets ending up in wrong chain after DNAT Mart Frauenlob
2010-03-02 10:12 ` Richard Horton
2010-03-02 18:01 ` Dion Kant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B8C69FF.7050400@concero.nl \
--to=msn@concero.nl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.