From: Pascal Hambourg <pascal@plouf.fr.eu.org>
To: Vigneswaran R <vignesh@atc.tcs.com>
Cc: "Ethy H. Brito" <ethy.brito@inexo.com.br>,
netfilter <netfilter@vger.kernel.org>
Subject: Re: randomly SNATed devices after reboot
Date: Fri, 16 May 2014 21:01:53 +0200 [thread overview]
Message-ID: <537660A1.9060907@plouf.fr.eu.org> (raw)
In-Reply-To: <53759AB5.6050101@atc.tcs.com>
Hello,
Vigneswaran R a écrit :
> On 05/15/2014 07:12 PM, Ethy H. Brito wrote:
>> Hi All
>>
>> I have this setup in which there are lots of static IPs "SNATed" IP-Phones
>> behind a Linux machine. A very simply NAT machine. Just one SNAT rule for the
>> phones' network.
>>
>> At every Linux machine reboot, some of those phones, randomly, simply does not
>> register at some outside-nat SIP server.
>>
>> Investigating with tcpdump I can see, at the external interface, "not snated"
>> packets from those not registered phones. Packets from the other phones are
>> correctly "snatted".
>
> May be, some phones are trying to register via ESTABLISHED connections
> which not getting SNATed. So, the registration fails.
Not ESTABLISHED (that would require return traffic, but existing (NEW).
If a phone sends a SIP packet before the SNAT rule is active, then the
whole SIP flow, including further packets, will not be SNATed until the
related conntrack entry expires. Expiration never happens if the sending
period is shorter than the UDP conntrack expiration delay.
If you don't want this to happen, just DROP all FORWARDed traffic until
the SNAT rule is active.
next prev parent reply other threads:[~2014-05-16 19:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-15 13:42 randomly SNATed devices after reboot Ethy H. Brito
2014-05-16 4:57 ` Vigneswaran R
2014-05-16 15:59 ` Ethy H. Brito
2014-05-16 19:01 ` Pascal Hambourg [this message]
2014-05-16 19:59 ` Ethy H. Brito
2014-05-16 20:25 ` Pascal Hambourg
2014-05-17 13:09 ` Sven-Haegar Koch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=537660A1.9060907@plouf.fr.eu.org \
--to=pascal@plouf.fr.eu.org \
--cc=ethy.brito@inexo.com.br \
--cc=netfilter@vger.kernel.org \
--cc=vignesh@atc.tcs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox