Re: Packets ending up in wrong chain after DNAT

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dion Kant <msn@concero.nl>
To: Richard Horton <arimus.uk@googlemail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Packets ending up in wrong chain after DNAT
Date: Tue, 02 Mar 2010 19:01:38 +0100	[thread overview]
Message-ID: <4B8D5282.5070107@concero.nl> (raw)
In-Reply-To: <56378e321003020212t17cdec48m6e414d89da208af2@mail.gmail.com>

Richard Horton wrote:
> On 2 March 2010 01:29, Dion Kant <msn@concero.nl> wrote:
>
>   
>> Mar  2 02:03:55 erouter kernel: [527925.765439] LOG 25 Wrong  IN=eth2
>> OUT= MAC=00:16:3e:78:4a:72:00:1d:45:8a:1b:2e:08:00 SRC=1.1.1.1
>> DST=2.2.2.2 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=53803
>> DPT=25 WINDOW=0 RES=0x00 RST URGP=0
>>     
>
> As I understand what you are trying to do is allow access to port 25
> on your internal network from an external machine right?
>   
Yes correct.
> If so that log looks odd - the originator of the connection is sending
> a RESET flag. The Reset flag is sent by the destination (atleast from
> my knowledge they are).
>   
This does ring a bell to me. I think it is caused by a Postfix
"feature". The mail server is a Postfix MTA.  If I understand you
correctly Postfix opens a connection, "conntracked" correctly as can be
seen by the log in the FORWARD chain. Then a bit later, Postfix sends a
packet with RST set. This is an error, classified invalid and therefore
it ends up in the INPUT chain.

Thanks for explaining this.

Dion.

     prev parent reply	other threads:[~2010-03-02 18:01 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-02  1:29 Packets ending up in wrong chain after DNAT Dion Kant
2010-03-02  8:43 ` Mart Frauenlob
2010-03-02 10:12 ` Richard Horton
2010-03-02 18:01   ` Dion Kant [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B8D5282.5070107@concero.nl \
    --to=msn@concero.nl \
    --cc=arimus.uk@googlemail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.