From: Manu <manuprivat@gmx.de>
To: netfilter@vger.kernel.org
Subject: SNAT problem
Date: Wed, 01 Jul 2009 12:00:28 +0200 [thread overview]
Message-ID: <4A4B33BC.9030900@gmx.de> (raw)
Hello netfilter-list,
I have an issue with iptables and SNAT:
There is a NAT gateway between internet (eth0) an LAN (eth2) ( which is
used by 200 people )
I've 200 internet fix IP, which are DNATted and SNATted for the
communication with the internet:
iptables version: iptables v1.4.3.2
kernel: 2.6.23.9
NAT table:
Chain PREROUTING (policy ACCEPT 37177 packets, 3389K bytes)
pkts bytes target prot opt in out source
destination
5 211 DNAT all -- eth0 * 0.0.0.0/0
80.xx.xxx.1 to:10.0.1.2
7 684 DNAT all -- eth0 * 0.0.0.0/0
80.xx.xxx.10 to:10.0.10.2
7 352 DNAT all -- eth0 * 0.0.0.0/0
80.xx.xxx.100 to:10.0.100.2
...
Chain POSTROUTING (policy ACCEPT 14096 packets, 1201K bytes)
pkts bytes target prot opt in out source
destination
0 0 SNAT all -- * eth0 10.0.1.2
0.0.0.0/0 to:80.xx.xxx.1
6 288 SNAT all -- * eth0 10.0.10.2
0.0.0.0/0 to:80.xx.xxx.10
0 0 SNAT all -- * eth0 10.0.100.2
0.0.0.0/0 to:80.xx.xxx.100
...
The problem is, there are pakets which are not SNATted:
# tcpdump -i eth0 -vvn | grep "10\.0\."
tcpdump: listening on eth0
11:24:50.553928 10.0.113.2.37295 > 19.6.34.13.61201: FP
872115062:872115483(421) ack 2241938025 win 65535 (DF) (ttl 63, id
22860, len 461)
11:24:54.558253 10.0.113.2.52741 > 129.13.233.195.80: F [tcp sum ok]
1253290637:1253290637(0) ack 3260788409 win 33304 <nop,nop,timestamp
1037069524 3028764969> (DF) (ttl 63, id 8213, len 52)
11:24:54.580499 10.0.113.2.52521 > 91.18.174.3.80: F [tcp sum ok]
2182856414:2182856414(0) ack 4017845595 win 33304 <nop,nop,timestamp
1037069524 1576465996> (DF) (ttl 63, id 39286, len 52)
11:25:50.282005 10.0.190.2.1036 > 74.125.43.104.80: F [tcp sum ok]
0:0(0) ack 1 win 65129 (DF) (ttl 127, id 11722, len 40)
11:27:15.940457 10.0.12.2.1346 > 195.186.17.34.80: FP
515820442:515820987(545) ack 3832399077 win 65535 (DF) (ttl 127, id
6881, len 585)
11:27:15.941419 10.0.12.2.1344 > 195.186.17.34.80: FP
3713984614:3713985159(545) ack 3897104309 win 65535 (DF) (ttl 127, id
6882, len 585)
....
What could be the reason for ignoring the SNAT rule?!
Could the performance (CPU, Memory) of the gateway be the reason of the
prob?
CPU:800MHz
RAM: 256MB
from /proc :
# cat ip_conntrack_max
16384
# cat ip_conntrack_count
1298
# cat ip_conntrack_buckets
4096
# cat ip_conntrack_udp_timeout
30
# cat ip_conntrack_tcp_loose
1
Any help will be very appreciated!
Thx in advance!
Manu
next reply other threads:[~2009-07-01 10:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-01 10:00 Manu [this message]
-- strict thread matches above, loose matches on Subject: below --
2010-08-22 18:35 SNAT problem Yevgeny Kosarzhevsky
2010-08-22 21:12 ` Pascal Hambourg
[not found] ` <4C8C9C9C.2010005@pisem.net>
2010-09-13 9:10 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A4B33BC.9030900@gmx.de \
--to=manuprivat@gmx.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox