Re: Ramdom NAT drop

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Gary Smith wrote:

I would also expect to see this, but I don't think the packet is even
making it to the filter section.  I have logging for anything dropped
and yet nothing is coming in from originating IP's that are affected.
I will probably do something painful and put more logging in the chains
to see if I can better catch the problem.  The only issue I have is
that the problem is random.

I will definitely look for that though.
Included is the rule that I think is being randomly ignored. 
-A PREROUTING -d 208.46.23.38 -j DNAT --to-destination 10.80.65.38
This is in effect. So I believe that I should never see a hit in the INPUT chain for this rule since all requests are being forwarded to the 10.80.65.38 IP address. Only 10.80.0.0/16 are local. 
I expcted to see this rule as the forward is indeed happening (basically we logged all traffic prior to this rule to generate the hit:

Oct 21 13:33:35 hsoakfiw01c kernel: FW-F-443: IN=eth1 OUT=eth0 SRC=116.250.48.135 DST=10.80.65.38 LEN=1050 TOS=0x00 PREC=0x00 TTL=102 ID=30940 DF PROTO=TCP SPT=2374 DPT=80 WINDOW=32768 RES=0x00 ACK PSH URGP=0

The INPUT catch had a rule to log all traffic coming in as well, which is where we picked up this hit:
Oct 21 13:31:01 hsoakfiw01c kernel: FW-I: IN=eth1 OUT= MAC=00:0c:29:9c:88:9b:00:13:c3:d7:a3:68:08:00 SRC=189.162.111.146 DST=208.46.23.38 LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=16396 DF PROTO=TCP SPT=3552 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0 
So, am I wrong in thinking that external traffic forwarded in via NAT should never hit the INPUT chain and go straight to FORWARD chain, or is my problem something else completely?
From a request few days ago 'Re: FIN packets not getting NAT-ed', Pascal Hambourg answered: 

Dhyanesh Ramaiya a écrit :
> > I have setup a Linux firewall on the edge of the network and doing SNAT for 
> internal IPs. When I sniff on external interface for internal source IPs,I
> am seeing FIN packets from internal IPs going out without being NAT-ed.
These packets are probably classified in the INVALID state by the 
connection tracking. Such packets are ignored by the NAT. A reason may
be that they belong to old connections the connection tracking has
forgotten about or considers already closed.

Does your rulest DROP outgoing packets in the INVALID state ?


Maybe it's the same thing just with DNAT at your end.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux