From: "John Meissen" <john@meissen.org>
To: netfilter@vger.kernel.org
Subject: Changing default route causes packet drop
Date: Mon, 05 Jul 2010 02:03:26 -0700 [thread overview]
Message-ID: <20100705090326.BF7B134502@john> (raw)
I'm not sure if this is the right place to ask, or if it's even the right
question. Hopefully someone can point me in the right direction.
I had a traditional setup with two ethernet interfaces on my Linux box
(WAN=eth0/LAN=eth1), and NATing the traffic that was forwarded between them.
I added another interface (eth2), and simply want to change the default
routing to go through it. I'm leaving various services listening on all
interfaces.
If I change the default route to use eth2, I can route from the internal
network to the outside just fine, and I can connect from the internal net
to services on the system fine. But incoming connections on the original
WAN (eth0) don't complete. They hang at SYN_RECV, as if I had a DROP rule.
I.e., what used to be
internal <-> (eth1) gateway forward (eth0) <-> WAN
internal <-> (eth1) gateway local service
gateway local service (eth0) <-> WAN
is now
internal <-> (eth1) gateway forward (eth2) <-> WAN
internal <-> (eth1) gateway local service
but
gateway local service (eth0) <-> WAN
now drops connection attempts.
I don't see what difference there should be between eth0 and eth1, except
that eth0 isn't forwarded. That shouldn't affect connections to processes
listening on that interface.
I've tried to keep the iptables config simple for this. The only change I'm
making is changing the default route with the 'route' command.
# iptables -L -v -n
Chain INPUT (policy ACCEPT 63555 packets, 73M bytes)
pkts bytes target prot opt in out source destination
11 3626 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
udp spt:68 dpt:67
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
tcp spt:68 dpt:67
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
udp spt:67 dpt:68
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
tcp spt:67 dpt:68
1937 127K ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
Chain FORWARD (policy ACCEPT 39362 packets, 42M bytes)
pkts bytes target prot opt in out source destination
31533 2844K ACCEPT all -- * * 192.168.10.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 42150 packets, 5745K bytes)
pkts bytes target prot opt in out source destination
and
# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 859K packets, 57M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 584K packets, 46M bytes)
pkts bytes target prot opt in out source destination
755K 72M MASQUERADE all -- * * 192.168.10.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1015K packets, 100M bytes)
pkts bytes target prot opt in out source destination
next reply other threads:[~2010-07-05 9:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-05 9:03 John Meissen [this message]
2010-07-05 10:06 ` Changing default route causes packet drop Gáspár Lajos
2010-07-07 14:23 ` Pascal Hambourg
2010-07-07 16:35 ` John Meissen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100705090326.BF7B134502@john \
--to=john@meissen.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).