Hello, this looks much like the same problem I have on my U10 with kernels 2.6.9 and up. Supposedly masqueraded connections show up as unreplied in /proc/net/ip_conntrack, and /proc/net/ip_conntrack_expect is empty. Things are working fine for me using kernel 2.6.8.1. I haven't tested 2.4.x. There is no /proc/net/ip_conntrack_expect in 2.6.8.1, so I suspect this change introduced a bug. Unfortunately, I do not know how to get it working except by using an older kernel. Regards, Stefan Boettner Quoting BERTRAND Joël <mt@xxxxxxxxxxx>: > Hello, > > I'm trying to use iptables on a ULTRASparc U60 (smp) without any > success. I use the same version of iptables on several i386, an > U420R (kernel 2.4 SMP) and an U1E with succes... > > Root bohr:[~] > lsmod > Module Size Used by > iptable_mangle 3328 0 > autofs4 18632 1 > ipt_TCPMSS 4800 0 > ipt_tcpmss 3008 0 > ipt_MASQUERADE 3844 1 > iptable_nat 8708 1 > ip_nat 20824 2 ipt_MASQUERADE,iptable_nat > ip_conntrack 60264 3 ipt_MASQUERADE,iptable_nat,ip_nat > iptable_filter 3392 0 > ip_tables 21184 6 > > iptable_mangle,ipt_TCPMSS,ipt_tcpmss,ipt_MASQUERADE,iptable_nat,iptable_filter > sg 33720 0 > sr_mod 16940 0 > cdrom 40880 1 sr_mod > usblp 12928 0 > parport_pc 39816 0 > parport 41688 1 parport_pc > Root bohr:[~] > iptables -L -n > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > Root bohr:[~] > iptables -t nat -L -n > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > Root bohr:[~] > cat /proc/sys/net/ipv4/ip_forward > 1 > Root bohr:[~] > > > 192.168.0.100 is a i386 workstation. Its default gateway is > 192.168.0.128. > > 192.168.0.128 is the second ethernet interface of my U60. Address of the > first one is 10.0.0.1 and is used to be the support of ppp0. > > When I try to ping www.kernel.org from 192.168.0.200. I can see : > Root bohr:[~] > tcpdump -i eth1 proto ICMP > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes > 18:04:56.333172 IP 192.168.0.100 > zeus-pub1.kernel.org: ICMP echo > request, id 53550, seq 13056, length 64 > 18:04:57.337379 IP 192.168.0.100 > zeus-pub1.kernel.org: ICMP echo > request, id 53550, seq 13312, length 64 > 18:04:58.341366 IP 192.168.0.100 > zeus-pub1.kernel.org: ICMP echo > request, id 53550, seq 13568, length 64 > 18:04:59.345455 IP 192.168.0.100 > zeus-pub1.kernel.org: ICMP echo > request, id 53550, seq 13824, length 64 > > 4 packets captured > 8 packets received by filter > 0 packets dropped by kernel > Root bohr:[~] > tcpdump -i ppp0 proto ICMP > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 > bytes > 18:05:36.501017 IP bohr.systella.fr > zeus-pub1.kernel.org: ICMP echo > request, id 53550, seq 23296, length 64 > 18:05:36.712653 IP zeus-pub1.kernel.org > bohr.systella.fr: ICMP echo > reply, id 53550, seq 23296, length 64 > 18:05:37.505105 IP bohr.systella.fr > zeus-pub1.kernel.org: ICMP echo > request, id 53550, seq 23552, length 64 > 18:05:37.717251 IP zeus-pub1.kernel.org > bohr.systella.fr: ICMP echo > reply, id 53550, seq 23552, length 64 > 18:05:38.509186 IP bohr.systella.fr > zeus-pub1.kernel.org: ICMP echo > request, id 53550, seq 23808, length 64 > 18:05:38.723250 IP zeus-pub1.kernel.org > bohr.systella.fr: ICMP echo > reply, id 53550, seq 23808, length 64 > > 6 packets captured > 12 packets received by filter > 0 packets dropped by kernel > Root bohr:[~] > cat /var/lib/iptables/active > # Generated by iptables-save v1.2.7a on Tue Mar 4 10:43:40 2003 > *nat > :PREROUTING ACCEPT [5:340] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [334:24336] > [334:24336] -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE > COMMIT > # Completed on Tue Mar 4 10:43:40 2003 > # Generated by iptables-save v1.2.7a on Tue Mar 4 10:43:40 2003 > *filter > :INPUT ACCEPT [3612:629789] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [3708:560260] > COMMIT > # Completed on Tue Mar 4 10:43:40 2003 > Root bohr:[~] > > > When I try to make a ping over the U60, I obtain : > > Root bohr:[~] > cat /proc/net/ip_conntrack | grep icmp > icmp 1 29 src=192.168.0.100 dst=213.41.184.253 type=8 code=0 id=64616 > packets=2888 bytes=242592 [UNREPLIED] src=213.41.184.253 > dst=213.41.140.153 > type=0 code=0 id=64616 packets=0 bytes=0 mark=0 use=1 > Root bohr:[~] > > > Strange, isn't it ? > > Thus, all paquets taht come from 192.168.0.100 are routed by ppp0. > www.kernel.org answers to my ping, but my U60 doesn't transmet the > incoming paquet to 192.168.0.100. Why ? Any idea ? > > Regards, > > JKB > >
