Hi, I'm not a guru on netfilter nor linux ip stack, but I have a strange problem and I suspect à bug : My config : Debian Sarge with a vanilla 2.6.18.2 kernel, iptables 1.2.11 there is 3 eth intefaces on this gateway : * eth0 192.168.1.254/24 connected to my lan * eth1 connected to my isp (I have a static public ip address) * eth2 10.75.1.254 connected to a DMZ There is also an alias on eth0:1 192.168.100.0/24 for a pseudo dmz the goal is a host from LAN _must_ be routed on the linux box to connect to a host 192.168.100.254, even if they are on the same ethernet segment. this is the begining of my FORWARD rules (default policy is DROP) Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED log_drop tcp -- 0.0.0.0/0 0.0.0.0/0 state INVALID log_drop udp -- 0.0.0.0/0 0.0.0.0/0 state INVALID ACCEPT tcp -- 192.168.1.0/24 192.168.100.0/24 state NEW So a host 192.168.1.125 should be able to connect to 192.168.100.1, but look at a tcpdum session on the router : # tcpdump -n -i eth0 net 192.168.100.254 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:46:08.297208 IP 192.168.1.125.3580 > 192.168.100.254.22: S 3913030203:3913030203(0) win 65535 <mss 1460,nop,nop,sackOK> 13:46:08.297289 IP 192.168.1.125.3580 > 192.168.100.254.22: S 3913030203:3913030203(0) win 65535 <mss 1460,nop,nop,sackOK> 13:46:08.297585 IP 192.168.1.125.3580 > 192.168.100.254.22: . ack 2474300259 win 65535 13:46:11.497946 IP 192.168.1.125.3580 > 192.168.100.254.22: . ack 1 win 65535 13:46:17.496303 IP 192.168.1.125.3580 > 192.168.100.254.22: . ack 1 win 65535 You can see the source host emits a SYN packet entering on eth0, then reemitted on the same interface, then it emits a ACK, while the dest hosts didn't acknowledged the SYN by a SYN-ACK packet ! The cause is on my /var/log/message : # tail -n 1000 /var/log/messages|grep 192.168.100.254 Nov 14 13:46:08 localhost kernel: IPT_DROP: IN=eth0 OUT=eth0 SRC= 192.168.1.125 DST=192.168.100.254 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID= 51586 DF PROTO=TCP SPT=3580 DPT=22 WINDOW=65535 RES=0x00 ACK URGP=0 Nov 14 13:46:11 localhost kernel: IPT_DROP: IN=eth0 OUT=eth0 SRC= 192.168.1.125 DST=192.168.100.254 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID= 51589 DF PROTO=TCP SPT=3580 DPT=22 WINDOW=65535 RES=0x00 ACK URGP=0 So packets from dest host to source host are rejected by netfilter because conntrack macked them as INVALID ! I done a test by moving rule 5 at 1st position in FORWARD table, and insert a new rule : # iptables -I FORWARD 2 -i eth0 -o eth0 -s 192.168.100.0/24 -d 192.168.1.0/24 -j ACCEPT In this case the SYN-ACK packet comes back, but next packet are DROPPED. So I replaced the 1st rule by this one : # iptables -R FORWARD 1 -i eth0 -o eth0 -s 192.168.1.0/24 -d 192.168.100.0/24 -j ACCEPT and now the connection goes ok... while it is macked as and INVALID connection ! So what are you thinking about that ? Regards, -- Rico
