Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
Hi,
i'm going mad in trying to understand this behaviour:
I have a linux box, with two lan's: eth0 (internal LAN) and eth1 (Internet). This box is configured as a firewall, using iptables (1.3.7). My kernel is 2.6.20.1.
I do SNAT for the lan clients to the Internet, and all is working fine; but I have big problems with DNAT: I have these lines:
....
.....
iptables -A PREROUTING -t nat -i eth1 -d $WANIP -p tcp --dport 80 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
.....
.....
iptables -A INPUT -i eth1 -j DROP-AND-LOG
.....
Ok, a simple and classical DNAT to an internal web server.
Now, the problem: the majority of packets get correctly in the PREROUTING chain and to my web server, but SOMETIMES the packets "miss" the prerouting and fall into the INPUT chain, getting logged and dropped ! I analyzed and noticed that they are all ACK packets, but they are correct in all aspects (IN=ETH1 DST=WANIP DPT=80); what can be the problem ?
I have no state match specifications;
however i have tryed with and without --state NEW,ESTABLISHED,RELATED in the PREROUTING rule, but with the same strange effect.
The problem is with AJAX web sites hosted on the internal server; they lose packets and so the application doesn't work correctly... if i put the web server directly on the wan side, everything works ok...
# INPUT rules
echo -e "\nInput rules...\n"
iptables -A INPUT -p tcp --dport 137 -j DROP
iptables -A INPUT -p tcp --dport 138 -j DROP
iptables -A INPUT -p udp --dport 137 -j DROP
iptables -A INPUT -p udp --dport 138 -j DROP
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $GREEN_DEV -s $INTNET -d $UNIVERSE -j ACCEPT
iptables -A INPUT -i $GREEN_DEV -p tcp --dport 8082 -j ACCEPT
# coming-back ip packets; accept only if established-related
echo -e "\ncome back packets...\n"
iptables -A INPUT -i $RED_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i $RED_DEV -p ICMP -j ACCEPT
#catch and block all-other traffic
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it-inp
echo -e "\nOUTPUT rules...\n"
# OUTPUT rules-- lo interface
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# internal IF to LAN - accept all
iptables -A OUTPUT -o $GREEN_DEV -s $EXTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $GREEN_DEV -d $INTNET -j ACCEPT
iptables -A OUTPUT -o $GREEN_DEV -d $UNIVERSE -j ACCEPT
iptables -A OUTPUT -o $GREEN_DEV -s $INTIP -d $INTNET -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -o $RED_DEV -s $EXTIP -d $UNIVERSE -j ACCEPT
#catch all other rules...
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it-out
Once these rules are loaded, please do iptables-save and post that. (Sanitise any obvious ip numbers). This will list them in the order they are functioning, much easier to read..
First suggestion is to change the POLICYs on the filter table to ACCEPT.
You have DROP rules to catch everything that's not ACCEPTed.
Second is to avoid making rules more specific than needed..
eg you have 2 rules in the FORWARD table where 1 will do for RELATED,ESTABLISHED.
Remove the -i & -o interface specs..
A PREROUTING -s ! 10.0.0.2 -d ! 10.0.0.5 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082
This rule does nothing. Anything coming in on eth0 will be from 10.0.0.0/24 , and anything between two pcs on the same physical segment will be done via ARP, not via the firewall.
tun traffic will come in on interface tun1
Try zeroing the iptables counters and do iptables-save -c
The rules will then show how many packets have passed down each rule.
Rules with zero packets need to be looked at to see if they need to exist, and DROPped packet counters need to be looked at to see if they are in the correct place, not too early or late in the ruleset sequence.
I usually refer people to this tutorial to get a grounding in the necessary rules/syntax.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.