Re: raw table and NOTRACK target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello again, 

> If I've got it right you are trying to do DNAT. The problem was that
> everything was not being traced by conntrack, this is what you've
> already fixed.
	Yes, I'm trying to do some DNAT, but still got a long way to go.
 
> Next, as you've told in further message nothing block that traffic in -t
> filter, that's good.
> 
> Next, show as the actual DNAT rules and check the counters encrease as
> you trying to connect.
> 
> You can also check whether the connection is actually being tracked by
> analizing output of "conntrack -L" or "conntrack -E"
	
	The problem is that I'm stuck at step.1 - excluding items from
NOTRACK. As soon as I add rules with RETURN in raw table, packets are
dropped somewhere. To reproduce:

I've got a host, which connects with lynx to any website.

In router there no DROP rules in FORWARD and single line in raw table:
/sbin/iptables -t raw -A PREROUTING -j NOTRACK

Host connects to any remote host port 80.

As soon as I add two lines with -j RETURN in raw table (so the entries 
are tracked) I experience the same effect as I've added -j DROP: 

/sbin/iptables -t raw -I PREROUTING -p tcp -s host.ip --dport 80 -j RETURN
/sbin/iptables -t raw -I PREROUTING -p tcp -d host.ip --sport 80 -j RETURN

are acting as I've made these rules:

/sbin/iptables -t raw -I PREROUTING -p tcp -s host.ip --dport 80 -j DROP
/sbin/iptables -t raw -I PREROUTING -p tcp -d host.ip --sport 80 -j DROP

I've tried replacing RETURN with ACCEPT with same results. As soon as I
remove those 2 rules, host.ip can connect to remote 80 port. 
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux