netfilter buglog - Jul 2003 - [Bug 115] New: incorrect "state RELATED,ESTABLISHED" checking with two interfaces

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=115

           Summary: incorrect "state RELATED,ESTABLISHED" checking
with two
                    interfaces
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: i386
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: connection tracking
        AssignedTo: laforge@netfilter.org
        ReportedBy: agri@desnol.ru
                CC: netfilter-buglog@lists.netfilter.org


I have two interfaces to internet, one with real another with virtual ip
default interface is real, but if i force using another interface for pinging,
iptables blocks packets
here is my table

i have eth0 - real interface to internet
eth1 - private network (ip 192.168.0.205)
eth2 - interface to internet with virtual ip 192.168.100.2 (gw
192.168.100.1)
> iptables -vL
agrigw:~ # iptables -vL
Chain INPUT (policy ACCEPT 67930 packets, 16M bytes)
 pkts bytes target     prot opt in     out     source               destination
        

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
        
 733K  961M ACCEPT     all  --  eth0   eth1   !192.168.0.0/24      
192.168.0.0/24     state RELATED,ESTABLISHED 
 577K  114M ACCEPT     all  --  eth1   any     192.168.0.0/24     
!192.168.0.0/24     
  252 99897 ACCEPT     all  --  eth2   eth1   !192.168.0.0/24      
192.168.0.0/24     state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT 21780 packets, 7461K bytes)
 pkts bytes target     prot opt in     out     source               destination
        
> iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 90121 packets, 18M bytes)
 pkts bytes target     prot opt in     out     source               destination
        

Chain POSTROUTING (policy ACCEPT 22 packets, 1431 bytes)
 pkts bytes target     prot opt in     out     source               destination
        
 7270  420K MASQUERADE  all  --  any    eth0    192.168.0.0/24     
!192.168.0.0/16     
    2   168 MASQUERADE  all  --  any    eth2    192.168.0.0/24      
192.168.100.1      
   84  4447 MASQUERADE  all  --  any    eth2    192.168.0.0/24     
!192.168.0.0/16     

Chain OUTPUT (policy ACCEPT 14 packets, 1111 bytes)
 pkts bytes target     prot opt in     out     source               destination
        


i'm doing:
> ping www.ru
PING www.ru (194.87.0.50) from 217.150.59.18 : 56(84) bytes of data.
64 bytes from www.ru (194.87.0.50): icmp_seq=1 ttl=55 time=49.393 msec
64 bytes from www.ru (194.87.0.50): icmp_seq=2 ttl=55 time=38.066 msec

all is fine
> ping -I 192.168.100.2 www.ru
PING www.ru (194.87.0.50) from 192.168.100.2 : 56(84) bytes of data.

--- www.ru ping statistics ---
2 packets transmitted, 0 received, 100% loss, time 1015ms


i have a route to 192.168.100.2
80.237.18.0     192.168.100.1   255.255.254.0   UG    0      0        0 eth2
> ping 80.237.18.1
PING 80.237.18.1 (80.237.18.1) from 192.168.100.2 : 56(84) bytes of data.
64 bytes from 80.237.18.1: icmp_seq=1 ttl=61 time=22.365 msec
64 bytes from 80.237.18.1: icmp_seq=2 ttl=61 time=17.523 msec


my full route
> route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
217.150.59.16   0.0.0.0         255.255.255.248 U     0      0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
80.237.18.0     192.168.100.1   255.255.254.0   UG    0      0        0 eth2
0.0.0.0         217.150.59.17   0.0.0.0         UG    0      0        0 eth0



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.