Packages which should be DNATed are dropped incidentally

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

At our site, we have a mailserver inside a DMZ. This DMZ
employs private IPs (range 192.168.193/24), so we configured additional offical
IPs on the external interface of the firewall:

(excerpt of `iptables -L -n -v -t nat`)
Chain PREROUTING (policy ACCEPT 2468K packets, 218M bytes)
 pkts bytes target     prot opt in     out     source               destination
 103K 5881K DNAT       all  --  external *       0.0.0.0/0            <external mailserver IP>      to:192.168.193.13

In addition, I let through the required services for this mailserver (also serves as DNS-server, btw):

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2089  110K ACCEPT     udp  --  external dmz     0.0.0.0/0            192.168.193.13      udp dpt:53
 1413 56520 ACCEPT     tcp  --  external dmz     0.0.0.0/0            192.168.193.13      tcp dpt:53
 2448  151K ACCEPT     tcp  --  external dmz     0.0.0.0/0            192.168.193.13      tcp dpt:993
 4279  261K ACCEPT     tcp  --  external dmz     0.0.0.0/0            192.168.193.13      tcp dpt:995
34899 1738K ACCEPT     tcp  --  external dmz     0.0.0.0/0            192.168.193.13      tcp dpt:25
  281 16448 ACCEPT     tcp  --  external dmz     0.0.0.0/0            192.168.193.13      tcp dpt:465
    3   128 ACCEPT     tcp  --  external dmz     0.0.0.0/0            192.168.193.13      tcp dpt:3128
  270 13568 ACCEPT     tcp  --  external dmz     0.0.0.0/0            192.168.193.13      tcp dpt:80
 2951  170K ACCEPT     tcp  --  external dmz     0.0.0.0/0            192.168.193.13      tcp dpt:443

Now, we incidentally watch packets being dropped allthough they belong to valid connections:

Aug 22 13:52:13 localhost kernel: DROP IN=external OUT= MAC=<firewall external mac>:<next router's mac>:08:00 SRC=<remoteip> DST=<external mailserver ip> LEN=109 TOS=0x00 PREC=0x00 TTL=54 ID=60517 DF PROTO=TCP SPT=18995 DPT=993 WINDOW=2282 RES=0x00 ACK PSH URGP=0

but `iptstate` tells me this should be a valid connection.

Also, the user who is connected using <remoteip> tells me that he has difficulties downloading large attachments 
using IMAP as well as via HTTPS (mailserver web interface). However, this is not always reproducable and sometimes 
it works. He has tried different internet connections and different home routers on his side of the connection.
I have already checked the mailserver and the webserver's log but could not find a problem there. So I suspect this is 
a firewall issue.

Something that confuses me: If I understand the log line above correctly, the packed is not dropped in the FORWARD chain 
but in the INPUT chain. However, this would mean that the packet would not have been processed by the DNAT rule.

Thanks for any help,

Bram Metsch.
 
-- 
Dipl. Math. Bram Metsch
Universitaet Bonn
Institut fuer Numerische Simulation
Wegelerstrasse 6
53115 Bonn
Germany
Phone: +49 228 733849
Fax:   +49 228 737527
http://wissrech.ins.uni-bonn.de/index.php4?nav=people_staff_metsch

Attachment: pgpF6JJArrIbN.pgp
Description: PGP signature

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux