On Thu, 17 Nov 2005, Adam Rosi-Kessel wrote: > > > I'm running kernel 2.6.8-2-k7 from Debian Stable, iptables v1.2.11. > > Try to upgrade to a newer kernel. > > I guess I'd do this as a last resort. I'm trying to keep the system in > question on Debian Stable if possible. Is there reason to think a kernel > upgrade would just fix it? Just as a last resort. But the problem is so strange, I can't recall any patch related to such a behaviour. > Here are my logs below--showing everything as you suggested. IP and MAC > addresses are replaced with descriptive names, but otherwise this is > exactly what appears in my logs. > # grep 500 /proc/net/ip_conntrack > udp 17 163 src=LOCAL_CLIENT dst=SERVER sport=500 dport=500 src=SERVER dst=EXTERNAL_IP_OF_NAT_BOX sport=500 dport=500 [ASSURED] use=1 > > # grep Mangle /var/log/syslog | sed "s/^.*kernel: //g" > > Mangle Prerouting:IN=eth1 OUT= MAC=ETH1_MAC SRC=LOCAL_CLIENT DST=SERVER LEN=1584 TOS=0x00 PREC=0x00 TTL=128 ID=50876 PROTO=UDP SPT=500 DPT=500 LEN=1564 > > Mangle Postrouting:IN= OUT=eth0 SRC=LOCAL_CLIENT DST=SERVER LEN=1500 TOS=0x00 PREC=0x00 TTL=127 ID=50876 MF PROTO=UDP SPT=500 DPT=500 LEN=1564 > > Mangle Prerouting:IN=eth0 OUT= MAC=ETH0_MAC SRC=SERVER DST=EXTERNAL_IP_OF_NAT_BOX LEN=2288 TOS=0x00 PREC=0x00 TTL=55 ID=63908 PROTO=UDP SPT=500 DPT=500 LEN=2268 So at least we know the packets are seen by the mangle table. As you tried previously to match them with the 'INVALID' state and it proved to be false, they are valid packets according to the conntrack. The filter table is empty, so we can point our finger to nat alone. The hard way remained: recompile the kernel with netfilter debugging enabled. Then repeat the connection attempts with the new kernel booted up and let's see what shows up in the kernel log. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
