Ugly issue with conntrack

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Juan Antonio <pushakk@limbo.ari.es>
To: netfilter@vger.kernel.org
Subject: Ugly issue with conntrack
Date: Tue, 16 Mar 2010 17:38:52 +0100	[thread overview]
Message-ID: <4B9FB41C.5000609@limbo.ari.es> (raw)

Hello everyone,

I have a extrange issue with a conntrack entry. There is a nat server
configure in this way

    DMZ  194.139.30.0/23  ---  194.139.30.16  nat 192.168.12.100 ---- 
192.168.12.0/24  private network

The nat machine does postrouting in all traffic from the private network
to DMZ, and there is no problem but in one server in the DMZ with
windows 2008 server the traffic doesn't return to the origin, I can see
the traffic with tcpdump like this

17:19:23.971978 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) 192.168.12.91 > 194.139.30.62: ICMP echo request,
id 12075, seq 1, length 64    <-----   The echo request original OK

17:19:23.972094 IP (tos 0x0, ttl  63, id 0, offset 0, flags [DF], proto:
ICMP (1), length: 84) 194.139.30.16 > 194.139.30.62: ICMP echo request,
id 12075, seq 1, length 64    <------ Masquerade the source IP OK

17:19:23.972164 IP (tos 0x0, ttl 128, id 25050, offset 0, flags [none],
proto: ICMP (1), length: 84) 194.139.30.62 > 194.139.30.16: ICMP echo
reply, id 12075, seq 1, length 64    <------- The echo reply OK

¿?¿?¿?   <-----------    Lost echo reply not OK

There isn't the packet from 194.139.30.16 to 192.168.12.91 despite off
the conntrack table show

cat /proc/net/ip_conntrack | grep '30.62'
icmp     1 29 src=192.168.12.91 dst=194.139.30.62 type=8 code=0 id=12075
packets=11 bytes=924 [UNREPLIED] src=194.139.30.62 dst=194.139.30.16
type=0 code=0 id=12075 packets=0 bytes=0 mark=0 use=1

The packet in tcpdump match on the conntrack entry. "id 12075" in both
cases, but if I LOG the traffic with the LOG iptables target I see the
reply in INPUT table not in the FORWARD.

Thank you and sorry for me bad english.

next             reply	other threads:[~2010-03-16 16:38 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-03-16 16:38 Juan Antonio [this message]
2010-03-17 15:33 ` Ugly issue with conntrack Mart Frauenlob
2010-03-17 17:50   ` Juan Antonio
2010-03-18  8:48   ` Juan Antonio

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B9FB41C.5000609@limbo.ari.es \
    --to=pushakk@limbo.ari.es \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.