From: Steven Kath <steven.kath@vyatta.com>
To: Greg Scott <GregScott@Infrasupport.com>
Cc: netfilter@vger.kernel.org
Subject: RE: Bizarre NAT behavior
Date: Thu, 23 Jun 2011 13:49:08 -0700 [thread overview]
Message-ID: <1308862148.1984.24.camel@lt> (raw)
In-Reply-To: <925A849792280C4E80C5461017A4B8A2A0404D@mail733.InfraSupportEtc.com>
On Thu, 2011-06-23 at 10:17 -0500, Greg Scott wrote:
> Why would NATing in both PREROUTING and POSTROUTING
> work **only** when I watch it with tcpdump and not work otherwise?
tcpdump by default will put the interface into promiscuous mode, so that
it will not automatically discard frames with a unicast ethernet
destination address which does not match the MAC address of the
interface. If traffic passes with tcpdump running but not without it,
it's likely related to the destination ethernet addresses. That would
be a layer 2/bridging problem more than a NAT/iptables problem.
If promiscuous mode is the factor that allows traffic to pass, a cheap
hack would be to force the interface into promiscuous mode without
tcpdump with "ip link set <dev> promisc on"
I'd gather this information to try to understand the problem better:
tcpdump -e -i <dev> [filters...]
(-e: Print the link-level header on each dump line.)
tcpdump -e -i <dev> -p [filters...]
(-p: Don't put the interface into promiscuous mode.)
If frames are visible when running in promiscuous mode which aren't
visible when running with -p, note the destination ethernet address of
those frames and compare it against the outputs from "ip link" and
"brctl showmacs <brdev>". They're likely coming in a port which
considers that destination address foreign.
prev parent reply other threads:[~2011-06-23 20:49 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-15 2:03 Bizarre NAT behavior Greg Scott
2011-06-23 15:17 ` Greg Scott
2011-06-23 15:28 ` Jan Engelhardt
2011-06-23 16:28 ` Greg Scott
2011-06-23 17:00 ` Payam Chychi
2011-06-23 18:23 ` Greg Scott
2011-07-08 20:39 ` Greg Scott
2011-07-08 22:29 ` Greg Scott
2011-07-22 4:53 ` Greg Scott
2011-06-23 20:49 ` Steven Kath [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1308862148.1984.24.camel@lt \
--to=steven.kath@vyatta.com \
--cc=GregScott@Infrasupport.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox