NAT/POSTROUTING rules doesn't match packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I have been having problems with this for some time now. Some packets are not 
processed correctly by iptables. This applies only to POSTROUTING chain in 
NAT table. 

I have an internal network addressed 10.0.0.0/24
Initially, i wanted all packets that go out of my network to a remote port 
4569 to be SNAT-ed to address 1.2.3.4. But when i set up such rule for 
iptables:

$IPT -t nat -A POSTROUTING -p udp --destination-port 4569 -o eth1 -j SNAT 
--to-source 1.2.3.4

when i run tcpdump, i noticed on my external interface (eth1) the packets had 
source address of originating machine (10.0.0.7)

so i did some tests and found out that rules in POSTROUTING chain doesn't 
always work as expected. In the following experiment, i put exactly same 
rules in NAT/PREROUTING,NAT/POSTROUTING,MANGLE/PREROUTING and 
MANGLE/POSTROUTING:

$IPT -t mangle -A PREROUTING -p udp --destination-port 4569 -j LOG
$IPT -t mangle -A POSTROUTING -p udp --destination-port 4569 -j LOG
$IPT -t nat -A PREROUTING  -p udp -m udp --destination-port 4569 -j LOG
$IPT -t nat -A POSTROUTING  -p udp -m udp --destination-port 4569 -j LOG

apparently all the rules EXCEPT the one in the NAT/POSTROUTING chain seem to 
work. Below is the number of packets that matched these rules. As you can 
see, the lat chain has counter 0 and the other three were matched by 23 
packets. 

I really have no clue on what could be the reason for this, maybe its a bug in 
netfilter code? I will appreciate any help.

Marek

P.S. Iptables 1.3.3, kernel 2.6.15 (both compiled from sources)



irongate:~# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 1681K packets, 495M bytes)
 pkts bytes target     prot opt in     out     source               
destination
   23  1134 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
udp dpt:4569 LOG flags 0 level 4

Chain POSTROUTING (policy ACCEPT 1630K packets, 478M bytes)
 pkts bytes target     prot opt in     out     source               
destination
   23  1134 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
udp dpt:4569 LOG flags 0 level 4


irongate:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 223K packets, 23M bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
udp dpt:4569 LOG flags 0 level 4

Chain POSTROUTING (policy ACCEPT 263 packets, 16175 bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
udp dpt:4569 LOG flags 0 level 4
  116  6546 SNAT       all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
to:192.168.100.3
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux