Hi,

i'm going mad in trying to understand this behaviour:

I have a linux box, with two lan's: eth0 (internal LAN) and eth1 (Internet). This box is configured as a firewall, using iptables (1.3.7). My kernel is 2.6.20.1.

I do SNAT for the lan clients to the Internet, and all is working fine; but I have big problems with DNAT: I have these lines:
....
.....
iptables -A PREROUTING -t nat -i eth1 -d $WANIP -p tcp --dport 80 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
.....
.....
iptables -A INPUT -i eth1 -j DROP-AND-LOG
.....

Ok, a simple and classical DNAT to an internal web server.

Now, the problem: the majority of packets get correctly in the PREROUTING chain and to my web server, but SOMETIMES the packets "miss" the prerouting and fall into the INPUT chain, getting logged and dropped ! I analyzed and noticed that they are all ACK packets, but they are correct in all aspects (IN=ETH1 DST=WANIP DPT=80); what can be the problem ?

They are probably duplicate packets that the netfilter code says doesn't belong in the stream.

Do you have a state matching rule to allow ESTABLISHED,RELATED packets?

I have no state match specifications;
however i have tryed with and without --state NEW,ESTABLISHED,RELATED in the PREROUTING rule, but with the same strange effect.

The problem is with AJAX web sites hosted on the internal server; they lose packets and so the application doesn't work correctly... if i put the web server directly on the wan side, everything works ok...

bye

The state rules live in the filter table, FORWARD, INPUT & OUTPUT chains..
They do nothing in the nat table..

Hi,

here is my iptables script:

# INPUT rules
echo -e "\nInput rules...\n"
iptables -A INPUT -p tcp --dport 137 -j DROP
iptables -A INPUT -p tcp --dport 138 -j DROP
iptables -A INPUT -p udp --dport 137 -j DROP
iptables -A INPUT -p udp --dport 138 -j DROP
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $GREEN_DEV -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $GREEN_DEV -p tcp --dport 8082 -j ACCEPT

# coming-back ip packets; accept only if established-related
echo -e "\ncome back packets...\n"
iptables -A INPUT -i $RED_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -i $RED_DEV -p ICMP -j ACCEPT

#catch and block all-other traffic
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it-inp

echo -e "\nOUTPUT rules...\n"

# OUTPUT rules-- lo interface
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# internal IF to LAN - accept all

iptables -A OUTPUT -o $GREEN_DEV -s $EXTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $GREEN_DEV -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $GREEN_DEV -d $UNIVERSE -j ACCEPT

iptables -A OUTPUT -o $GREEN_DEV -s $INTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -o $RED_DEV -s $EXTIP -d $UNIVERSE -j ACCEPT

#catch all other rules...
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it-out

# PORT FORWARDING rules...
PORTFWIP="10.0.0.2"

# Forwarding HTTP...ADDRESS 1
iptables -A PREROUTING -t nat -i $RED_DEV -p tcp -d $RED_ADDRESS --dport 80 -j DNAT --to $PORTFWIP:80
iptables -A FORWARD -i $RED_DEV -o $GREEN_DEV -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# allow tun+ forwarding...
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

# Transparent proxy redirect

iptables -A PREROUTING -t nat -i $GREEN_DEV -p tcp ! -s 10.0.0.2 ! -d $GREEN_ADDRESS --dport 80 -j REDIRECT --to-port 8082

iptables -A PREROUTING -t nat -i $GREEN_DEV -p tcp ! -d $GREEN_ADDRESS --dport 110 -j REDIRECT --to-port 8110

iptables -A FORWARD -i $RED_DEV -p tcp --sport 22 -s 80.74.176.210 -j ACCEPT

#Now the FORWARD in-out rules --- ADDRESS 1
iptables -A FORWARD -i $RED_DEV -o $GREEN_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $GREEN_DEV -o $RED_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT

# catch all other in log...
iptables -A FORWARD -j drop-and-log-it

# NAT: SourceNAT enabling...
iptables -t nat -A POSTROUTING -o $RED_DEV --source $INTNET -j SNAT --to-source $PUBLIC_ADDRESS

Once these rules are loaded, please do iptables-save and post that. (Sanitise any obvious ip numbers). This will list them in the order they are functioning, much easier to read..

What happened to the drop-and-log-it-out rules?

here it is :

eth0=LAN
eth1=WAN
MYWANIP = wan side IP

# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*raw
:PREROUTING ACCEPT [1995956:451770704]
:OUTPUT ACCEPT [1961924:1087077789]
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*nat
:PREROUTING ACCEPT [17802:1194035]
:POSTROUTING ACCEPT [10136:610868]
:OUTPUT ACCEPT [9850:595464]
-A PREROUTING -d $MYWANIP -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
-A PREROUTING -s ! 10.0.0.2 -d ! 10.0.0.5 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082
-A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth1 -j SNAT --to-source $MYWANIP
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*mangle
:PREROUTING ACCEPT [1995985:451773060]
:INPUT ACCEPT [1520898:334872020]
:FORWARD ACCEPT [475076:116900716]
:OUTPUT ACCEPT [1961957:1087081769]
:POSTROUTING ACCEPT [2425267:1203332050]
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [9:2940]
:drop-and-log-it - [0:0]
:drop-and-log-it-inp - [0:0]
:drop-and-log-it-out - [0:0]
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j drop-and-log-it-inp
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 222 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 20 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5900 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5060 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3478 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 5060 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 3478 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 123 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8888 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 2095 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 137 -j DROP
-A FORWARD -p tcp -m tcp --dport 138 -j DROP
-A FORWARD -p tcp -m tcp --dport 139 -j DROP
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -j drop-and-log-it
-A FORWARD -j drop-and-log-it
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s $MYWANIP -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -s 10.0.0.5 -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.255.255.0 -o eth1 -j drop-and-log-it-out
-A OUTPUT -s $MYWANIP -o eth1 -j ACCEPT
-A OUTPUT -j drop-and-log-it-out
-A drop-and-log-it -j LOG --log-prefix "FORWARD CHAIN-> "
-A drop-and-log-it -j DROP
-A drop-and-log-it-inp -j LOG --log-prefix "INPUT CHAIN-> "
-A drop-and-log-it-inp -j DROP
-A drop-and-log-it-out -j LOG --log-prefix "OUTPUT CHAIN-> "
-A drop-and-log-it-out -j DROP
COMMIT
# Completed on Mon Mar 5 17:48:28 2007

First suggestion is to change the POLICYs on the filter table to ACCEPT.
You have DROP rules to catch everything that's not ACCEPTed.

Second is to avoid making rules more specific than needed..
eg you have 2 rules in the FORWARD table where 1 will do for RELATED,ESTABLISHED.
Remove the -i & -o interface specs..

A PREROUTING -s ! 10.0.0.2 -d ! 10.0.0.5 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082
This rule does nothing. Anything coming in on eth0 will be from 10.0.0.0/24 , and anything between two pcs on the same physical segment will be done via ARP, not via the firewall.
tun traffic will come in on interface tun1

Try zeroing the iptables counters and do iptables-save -c
The rules will then show how many packets have passed down each rule.
Rules with zero packets need to be looked at to see if they need to exist, and DROPped packet counters need to be looked at to see if they are in the correct place, not too early or late in the ruleset sequence.

I usually refer people to this tutorial to get a grounding in the necessary rules/syntax.