Re: raw table and NOTRACK target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



В Птн, 26/06/2009 в 10:43 +0300, Ramunas Vabolis пишет:
> > > 
> > Pay attention to order. As far as I understood your rule order is like
> > this:
> > 
> > -t raw -A PREROUTING -j NOTRACK
> > -t raw -A PREROUTING -p tcp -s host.ip --dport 80 -j RETURN
> > -t raw -A PREROUTING -p tcp -d host.ip --sport 80 -j RETURN
> <skipped>
> Thank you for pointing this out, but I already well aware of that.
> That's why I'm using -I to prepend rules to begining of the chain.
> 
> The first rule is hit - I can verify that with iptables -t raw -vxnL.
> But it seems if packet is RETURNed of ACCEPTed in raw chain it is
> removed from further processing (I'm running tcpdump on my router and I
> see packet entering in local interface but it does not appear in my
> outgoing interface). 
> 
> So exact steps to replicate the behaviour:
> 
> iptables -t raw -A PREROUTING -p tcp -s real.ip --dport 80 -j RETURN
> iptables -t raw -A PREROUTING -p tcp -d real.ip --sport 80 -j RETURN
> iptables -t raw -A PREROUTING -j NOTRACK
> 
> running lynx http://any.host.com from real.ip
> 
> running tcpdump on inner interface:
> tcpdump -i ethlocal -n host real.ip and port 80 
> 
> does show connection attempts while 
> tcpdump -i ethoutside -n host real.ip and port 80 
> is silent.
> 
> iptables -t raw -vxnL shows that first rule is hit couple times, the
> second rule is never hit.

If I've got it right you are trying to do DNAT. The problem was that
everything was not being traced by conntrack, this is what you've
already fixed.

Next, as you've told in further message nothing block that traffic in -t
filter, that's good.

Next, show as the actual DNAT rules and check the counters encrease as
you trying to connect.

You can also check whether the connection is actually being tracked by
analizing output of "conntrack -L" or "conntrack -E".

-- 
Покотиленко Костик <casper@xxxxxxxxxxxx>

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux