From: Mart Frauenlob <mart.frauenlob@chello.at>
To: netfilter@vger.kernel.org
Subject: Re: Ramdom NAT drop
Date: Wed, 21 Oct 2009 23:19:07 +0200 [thread overview]
Message-ID: <4ADF7ACB.8080203@chello.at> (raw)
In-Reply-To: <034DEBCAE934A74991E6E76B8DA72D14185DD509C1@HSSBS.holdstead.local>
Gary Smith wrote:
>> I would also expect to see this, but I don't think the packet is even
>> making it to the filter section. I have logging for anything dropped
>> and yet nothing is coming in from originating IP's that are affected.
>> I will probably do something painful and put more logging in the chains
>> to see if I can better catch the problem. The only issue I have is
>> that the problem is random.
>>
>> I will definitely look for that though.
>>
>
>
> Included is the rule that I think is being randomly ignored.
>
> -A PREROUTING -d 208.46.23.38 -j DNAT --to-destination 10.80.65.38
>
> This is in effect. So I believe that I should never see a hit in the INPUT chain for this rule since all requests are being forwarded to the 10.80.65.38 IP address. Only 10.80.0.0/16 are local.
>
> I expcted to see this rule as the forward is indeed happening (basically we logged all traffic prior to this rule to generate the hit:
>
> Oct 21 13:33:35 hsoakfiw01c kernel: FW-F-443: IN=eth1 OUT=eth0 SRC=116.250.48.135 DST=10.80.65.38 LEN=1050 TOS=0x00 PREC=0x00 TTL=102 ID=30940 DF PROTO=TCP SPT=2374 DPT=80 WINDOW=32768 RES=0x00 ACK PSH URGP=0
>
> The INPUT catch had a rule to log all traffic coming in as well, which is where we picked up this hit:
>
> Oct 21 13:31:01 hsoakfiw01c kernel: FW-I: IN=eth1 OUT= MAC=00:0c:29:9c:88:9b:00:13:c3:d7:a3:68:08:00 SRC=189.162.111.146 DST=208.46.23.38 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=16396 DF PROTO=TCP SPT=3552 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0
>
> So, am I wrong in thinking that external traffic forwarded in via NAT should never hit the INPUT chain and go straight to FORWARD chain, or is my problem something else completely?
>
>
>
From a request few days ago 'Re: FIN packets not getting NAT-ed',
Pascal Hambourg answered:
Dhyanesh Ramaiya a écrit :
> >
> > I have setup a Linux firewall on the edge of the network and doing SNAT for
> > internal IPs. When I sniff on external interface for internal source IPs,I
> > am seeing FIN packets from internal IPs going out without being NAT-ed.
>
> These packets are probably classified in the INVALID state by the
> connection tracking. Such packets are ignored by the NAT. A reason may
> be that they belong to old connections the connection tracking has
> forgotten about or considers already closed.
>
> Does your rulest DROP outgoing packets in the INVALID state ?
Maybe it's the same thing just with DNAT at your end.
next prev parent reply other threads:[~2009-10-21 21:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-14 0:12 Ramdom NAT drop Gary Smith
2009-10-20 14:39 ` Gary Smith
2009-10-21 6:15 ` Anatoly Muliarski
2009-10-21 15:35 ` Gary Smith
2009-10-21 7:55 ` Mart Frauenlob
2009-10-21 15:40 ` Gary Smith
2009-10-21 20:33 ` Gary Smith
2009-10-21 21:19 ` Mart Frauenlob [this message]
2009-10-21 21:52 ` Gary Smith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ADF7ACB.8080203@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox