bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-04 21:23 UTC
[Bug 552] New: Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 Summary: Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !! Product: netfilter/iptables Version: linux-2.6.x Platform: i386 OS/Version: All Status: NEW Severity: critical Priority: P2 Component: NAT AssignedTo: laforge@netfilter.org ReportedBy: cbettero@ciditech.it Hi, i'm going mad in trying to understand this behaviour: I have a linux box, with two lan's: eth0 (internal LAN) and eth1 (Internet). This box is configured as a firewall, using iptables (1.3.7). My kernel is 2.6.20.1. I do SNAT for the lan clients to the Internet, and all is working fine; but I have big problems with DNAT: I have these lines: .... ..... iptables -A PREROUTING -t nat -i eth1 -d $WANIP -p tcp --dport 80 -j DNAT --to 10.0.0.2:80 iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT ..... ..... iptables -A INPUT -i eth1 -j DROP-AND-LOG ..... Ok, a simple and classical DNAT to an internal web server. Now, the problem: the majority of packets get correctly in the PREROUTING chain and to my web server, but SOMETIMES the packets "miss" the prerouting and fall into the INPUT chain, getting logged and dropped ! I analyzed and noticed that they are all ACK packets, but they are correct in all aspects (IN=ETH1 DST=WANIP DPT=80); what can be the problem ? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
- [Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
- DNAT PREROUTING issue with iptables
- [Bug 1117] New: Table ipv4-nat prerouting dnat doesn't accept dest IP:PORT
- PREROUTING - DNAT with iptables for an ASTERISK BOX
- DNAT PREROUTING issue with IPTABLES