iptables SNAT misses some packets
Hi,
I've noticed few packets behind the NAT, which should be NATed, but they are not. In other words. My NAT: Code:
iptables -A POSTROUTING -s 192.168.1.0/24 \! -d 192.168.0.0/16 -j SNAT --to-source 22.33.44.55 eth1 with 192.168.1.254 - Intranet gw Then: Code:
tcpdump -i eth0 -ne 'net 192.168.1.0/24' Thanks in advance, Igor |
-s 192.168.1.0/24 \! -d 192.168.0.0/16 -j SNAT --to-source 22.33.44.55
Can you describe it in words, please. Especially about "\!" part. Thanks |
Quote:
then, simetimes I see on eth0 smth like: Quote:
|
I've tried to flush NetFilter's connections with 'conntrack -F' and there's some effect: number of such packets (with a FIN flag) considerably increased
|
Try like this:
iptables -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 22.33.44.55 |
how could a subnet exception cause such a problem (= security caveat)? the only reason is an iptables' bug, I think; there's must be something else more probable
|
How would you act as a driver, if three passengers in your car start to ask you to do different things at ones?
You have to give to iptables as simple and effective rules as possible, and please, read about iptables - believe me it works just fine. This is perfect driver, problems with passengers. |
netfilter is a complex system; why do you suspicious a good working rule in a nat table?
|
Because when you said "NAT table" in reality you talk about SNAT, which needs specific conditions for proper functionality. Your condition was confusing and was not single-valued.
|
I still do not understand your idea, why a TCP like "192.168.1.4.50226 > 74.125.77.19.443" can pass POSTROUTING in NAT without any altering, but should be captured if I remove a local traffic exclusion?
|
Do you still have that problem?
|
Quote:
|
Did you try what I suggest?
|
Quote:
The solution: Code:
iptables -A FORWARD -s 192.168.0.0/16 \! -d 192.168.0.0/16 -m state --state INVALID -j DROP |
Quote:
|
Where does tcpdump capture the packet in the stream? Relative to the netfilter table traversal that is.
|
Quote:
Though I do not understand the matter, then I've redirected the question to NetFilter mailing list. No answer yet. |
Quote:
|
All times are GMT -5. The time now is 05:26 AM. |