From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755217AbZBRQ6n (ORCPT ); Wed, 18 Feb 2009 11:58:43 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752241AbZBRQ6b (ORCPT ); Wed, 18 Feb 2009 11:58:31 -0500 Received: from stinky.trash.net ([213.144.137.162]:58002 "EHLO stinky.trash.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752052AbZBRQ6b (ORCPT ); Wed, 18 Feb 2009 11:58:31 -0500 Message-ID: <499C3E34.7080405@trash.net> Date: Wed, 18 Feb 2009 17:58:28 +0100 From: Patrick McHardy User-Agent: Mozilla-Thunderbird 2.0.0.19 (X11/20090103) MIME-Version: 1.0 To: Alan Stern CC: netdev@vger.kernel.org, Kernel development list Subject: Re: [BUG] SNAT sometimes allows packets to pass through unchanged References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Alan Stern wrote: > On Mon, 16 Feb 2009, Patrick McHardy wrote: > >> The NAT table only sees the first packet of every connection >> and never INVALID packets. The mangle table should work fine. > > I ended up adding a rule to the FORWARD chain of the filter table. > The trick was to select based on the state. That worked; it saw all > those un-NATed packets and was able to eliminate them. In case you're > curious, the rule was essentially this: > > iptables -A FORWARD -o eth1 -s 10.0.0.0/8 -m state --state INVALID -j DROP > > Ideally, the rule should select all the packets which haven't been > altered by SNAT, not just the ones marked INVALID. Is there any way to > do this? Not in the sense that you could somehow catch valid packets "missed" by SNAT, that would be a bug. The conntrack match supports matching on whether the state says that a packet should be NATed.