Scott Bronson a écrit : > Is there any reason for a packet to just disappear when it gets > DNATed? (other than rp_filter, which is disabled) > > The VM creates the packet: src=192.168.122.10:23456 dst=173.233.67.174:25 > > * it arrives on the host's raw:PREROUTING > * it moves to mangle:PREROUTING > * it then goes to nat:PREROUTING > * Rule 5 DNATs the destination to 192.168.122.10 > > And that's it! Nothing more happens, the packet is gone. > > Here's my research with tables and traces: > https://gist.github.com/bronson/c857a462edb0c6eeab2d IIUC, you're looping back traffic on a bridge interface. Bridge-nf is enabled by default and can cause weird behaviour with NAT. Try to disable it : echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables Without that, after DNAT, the packet is not routed but bridged. But I suspect that the bridge code won't forward it back to its original port due to its source MAC address. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
