Dear netfilter List, I have two machines running Kernel 2.6.29.5, one has bonding-related problem. A.A.A.A = public IP X.X.y.y = internal Host #1 X.X.z.z = internal Host #2 What I do is: Internet ----> Host #1 -----> Host #2 A.A.A.A -----> X.X.y.y -----> X.X.z.z - Host #1 gets the traffic from the Internet and changes the source via SNAT rule to itself. - Host #1 uses DNAT to redirect traffic to host #2. - Host #2 will send the answer to host #1, which will sent it back to the internet again. This works fine with one interface, but if I use bonding, it fails. Can anyone tell me why? Any hint would be nice... Bonding activation: ifconfig eth0 0.0.0.0 ifconfig eth1 0.0.0.0 ifconfig bond0 X.X.y.y ifenslave bond0 eth0 ifenslave bond0 eth1 route add default gw XX.XX.y.g iptables-save: # Generated by iptables-save v1.4.3.2 on Tue Nov 24 20:21:28 2009 *raw :PREROUTING ACCEPT [1788:122490] :OUTPUT ACCEPT [1444:211385] COMMIT # Completed on Tue Nov 24 20:21:28 2009 # Generated by iptables-save v1.4.3.2 on Tue Nov 24 20:21:28 2009 *nat :PREROUTING ACCEPT [100:7436] :POSTROUTING ACCEPT [20:1480] :OUTPUT ACCEPT [20:1480] -A PREROUTING -s A.A.A.A/32 -d X.X.y.y/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination X.X.z.z:443 -A POSTROUTING -d X.X.z.z/32 -p tcp -j SNAT --to-source X.X.y.y COMMIT # Completed on Tue Nov 24 20:21:28 2009 # Generated by iptables-save v1.4.3.2 on Tue Nov 24 20:21:28 2009 *mangle :PREROUTING ACCEPT [1793:122750] :INPUT ACCEPT [1793:122750] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1451:212709] :POSTROUTING ACCEPT [1451:212709] -A PREROUTING -s A.A.A.A/32 -d X.X.y.y/32 -p tcp -m tcp --dport 443 -j ACCEPT COMMIT # Completed on Tue Nov 24 20:21:28 2009 # Generated by iptables-save v1.4.3.2 on Tue Nov 24 20:21:28 2009 *filter :INPUT ACCEPT [1794:122802] :FORWARD DROP [0:0] :OUTPUT ACCEPT [1455:213349] -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A FORWARD -i eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT -A FORWARD -m state --state INVALID -j LOG COMMIT # Completed on Tue Nov 24 20:21:28 2009 Relevant .config info: CONFIG_NETFILTER=y CONFIG_NETFILTER_ADVANCED=y CONFIG_BRIDGE_NETFILTER=y CONFIG_NETFILTER_NETLINK=y CONFIG_NETFILTER_NETLINK_QUEUE=y CONFIG_NETFILTER_NETLINK_LOG=y CONFIG_NETFILTER_TPROXY=y CONFIG_NETFILTER_XTABLES=y CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y CONFIG_NETFILTER_XT_TARGET_CONNMARK=y CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y CONFIG_NETFILTER_XT_TARGET_DSCP=y CONFIG_NETFILTER_XT_TARGET_MARK=y CONFIG_NETFILTER_XT_TARGET_NFLOG=y CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y CONFIG_NETFILTER_XT_TARGET_NOTRACK=y CONFIG_NETFILTER_XT_TARGET_RATEEST=y CONFIG_NETFILTER_XT_TARGET_TPROXY=y CONFIG_NETFILTER_XT_TARGET_TRACE=y CONFIG_NETFILTER_XT_TARGET_SECMARK=y CONFIG_NETFILTER_XT_TARGET_TCPMSS=y CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y CONFIG_NETFILTER_XT_MATCH_COMMENT=y CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y CONFIG_NETFILTER_XT_MATCH_CONNMARK=y CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y CONFIG_NETFILTER_XT_MATCH_DCCP=y CONFIG_NETFILTER_XT_MATCH_DSCP=y CONFIG_NETFILTER_XT_MATCH_ESP=y CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y CONFIG_NETFILTER_XT_MATCH_HELPER=y CONFIG_NETFILTER_XT_MATCH_IPRANGE=y CONFIG_NETFILTER_XT_MATCH_LENGTH=y CONFIG_NETFILTER_XT_MATCH_LIMIT=y CONFIG_NETFILTER_XT_MATCH_MAC=y CONFIG_NETFILTER_XT_MATCH_MARK=y CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y CONFIG_NETFILTER_XT_MATCH_OWNER=y CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y CONFIG_NETFILTER_XT_MATCH_QUOTA=y CONFIG_NETFILTER_XT_MATCH_RATEEST=y CONFIG_NETFILTER_XT_MATCH_REALM=y CONFIG_NETFILTER_XT_MATCH_RECENT=y CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT=y CONFIG_NETFILTER_XT_MATCH_SCTP=y CONFIG_NETFILTER_XT_MATCH_SOCKET=y CONFIG_NETFILTER_XT_MATCH_STATE=y CONFIG_NETFILTER_XT_MATCH_STATISTIC=y CONFIG_NETFILTER_XT_MATCH_STRING=y CONFIG_NETFILTER_XT_MATCH_TCPMSS=y CONFIG_NETFILTER_XT_MATCH_TIME=y CONFIG_NETFILTER_XT_MATCH_U32=y -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
