raido wrote: >Hi! > > >>external IP addresses: [A], [B] >>internal IP address: [C] - not the NAT box >> >>I want all udp port 53 traffic from [A]->[C] and from [B]->[C]. So I set >>up the following rules >> >>When the packet comes over interface[B], it also gets to the PREROUTING >>chain, but it never gets to the FORWARD chain and thus never even gets >>to [C]. It just dissapears into thin air. My routing seems correct.. >> >> > > > >>PS. kernel 2.6.7, iptables 1.2.9 >> >> >I wrote few days ago about my problem which seems to be alike, in this list. I >have same configuration and I need to DNAT all traffic from [A] to [C] and >packets also disapear in PREROUTING chain. I have also 2.6.7 kernel and >iptables 1.2.9. Next I plan to upgrade to iptables 1.2.10. If this does not >help, maybe it is time to make a bug report? > > Upgrading iptables to 1.2.11 did not help. The problem appears to be that the rp_filter ate the packets. It thought that these packets were rogue packets. Anyway, when I disabled rp_filter, the packets starting flowing but then there was the problem of reply packets being sent out from a wrong interface. That is, (IN) [B] -> [C] (OUT) [C] -> [A] instead of [B]. To solve this, set up two IP addresses at the [C] machine (C and C'). Packets from one interface went to [C] and packets from the other interface ([B]) went to C'. To reenable rp_filter and not to lose packets, I had to set up a routing rule for packets coming *from* the C' interface. I think the kernel will look at the routing and say "Hey, you want to route B->C', but there is no rule for C' to get back to B" and it just discards packets before it gets to FORWARD chain. So I added ip rule add from C' table second_interface_routing_table where the second interface routing table has the default route [B], not [A]. Now *everything* works. Only took my about 20 hours to figure that out!! :) Anyway, I guess one cannot route [A]->[C] and [B]->[C] directly. The kernel does not keep track by itself where the reply should be sent in that configuration, unless someone could tell me how that could work. - Adam PS. There was also a problem at C with packets. Packets routed to C' were replied as though they came from C. The solution is to have two daemons, one bound to C and another to C'. If the daemon was bound to 0.0.0.0, it replied with the default address (kernel 2.4.27-rc3). PPS. Not on the list, so please CC me. -- Building your applications one byte at a time http://www.galacticasoftware.com
