Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-06-2004, 07:22 AM
|
#1
|
LQ Newbie
Registered: Mar 2004
Location: Finland
Distribution: Debian
Posts: 5
Rep:
|
Iptables DNAT weirdness
I've been running my RedHat 7.2 server for several years now using DNAT and SNAT in iptables to manage my network. Quite recently I noticed that one of the computers can't use the internet, the SNAT translation works but when the remote computer sends packets back, the DNAT rule doesn't seem to work, as the packet doesn't travel any further after arriving at the router.
Apparently a reboot of the router fixed the problem, but today (after no changes on the router whatsoever) another computer got the same problem. The exact same problem, and it is for that IP, as changing to another IP makes the computer work like normal again. The same problem occurs in Windows and Linux, so the problem must be at the router.
A reboot of the router isn't entirely out of question but I'd like to solve this problem as different hosts randomly failing isn't acceptable. I've tried to flush and reload the iptables but it didn't help. Any ideas?
Here's a tcpdump dump of the problem:
13:39:39.351312 local-1.35033 > remote.http: S 3143142374:3143142374(0) win 5840 <mss 1460,sackOK,timestamp 5701693 0,nop,wscale 0> (DF)
13:39:39.351532 local-1-pub.35033 > remote.http: S 3143142374:3143142374(0) win 5840 <mss 1460,sackOK,timestamp 5701693 0,nop,wscale 0> (DF)
13:39:39.363325 remote.http > local-1-pub.35033: S 1835049943:1835049943(0) ack 3143142375 win 49232 <nop,nop,timestamp 138598212 5701693,mss 1460,nop,wscale 0,nop,nop,sackOK> (DF)
local-1 is the host with problems, in the local network.
local-1-pub is the public internet ip for local-1, the ip that SNAT/DNAT uses.
remote is the remote host.
So SNAT works, but when remote sends traffic back to local-1-pub, it doesn't DNAT it to local-1 as it should. On local-1 /proc/net/ip_conntrack says that the request is unreplied.
|
|
|
04-06-2004, 03:33 PM
|
#2
|
Member
Registered: Mar 2003
Location: Washington DC, USA
Distribution: Redhat
Posts: 212
Rep:
|
Is the Linux server acting as a router, or co you have the firewall before your router?
|
|
|
04-06-2004, 05:27 PM
|
#3
|
LQ Newbie
Registered: Mar 2004
Location: Finland
Distribution: Debian
Posts: 5
Original Poster
Rep:
|
The linux server is the router/firewall.
The setup looks like this:
host <-> router <-> remote
where router has host's public ip assigned to it, which is then DNAT/SNATed. The tcpdump is taken at the router.
Personally I belive this is a bug of some sort, but I can't upgrade my kernel/system quite yet.
|
|
|
04-07-2004, 04:11 AM
|
#4
|
LQ Newbie
Registered: Mar 2004
Location: Finland
Distribution: Debian
Posts: 5
Original Poster
Rep:
|
Well, I tried the same thing I've tried many times before, deleting the iptables SNAT rule and adding it again, and now it works! But it's still a mystery.
|
|
|
All times are GMT -5. The time now is 04:56 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|