bugzilla-daemon at bugzilla.netfilter.org
2012-Jul-04 14:10 UTC
[Bug 693] SNAT is failing to maquerade some TCP RST packets
http://bugzilla.netfilter.org/show_bug.cgi?id=693 Myroslav Opyr <myroslav at quintagroup.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |myroslav at quintagroup.com OS/Version|Ubuntu |All --- Comment #10 from Myroslav Opyr <myroslav at quintagroup.com> 2012-07-04 16:10:55 CEST --- We're experiencing a bug in Fedora 16 with kernel-3.2.9-2.fc16.x86_64 and kernel-3.3.4-3.fc16.x86_64. Adding following rule helped get id of packets with "internal" IP on "external" interface: $IPTABLES -A FORWARD -i $INTIF -p tcp -m state --state INVALID -j DROP Additional information for somebody that will be hit by the issue (to be able to google this comment) follows: We've been doing Nagios' check_http with --no-body (don't wait for document body: close socket after receiving headers). The closed socket resulted into TCP RST packet in response of all http response body payload packets that were received into closed socket. NAT of these RST packets didn't work due to this bug. Our server was effectively disabled by Datacenter provider (Hetzner) due to unroutable packets that our server emitted. This bug was not present in kernel-2.6.21.7-5.fc8xen from Fedora 8 (that we'd routed through for the test). -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
Maybe Matching Threads
- [Bug 693] SNAT is failing to maquerade some TCP RST packets
- [Bug 693] SNAT is failing to maquerade some TCP RST packets
- [Bug 693] SNAT is failing to maquerade some TCP RST packets
- Nagios: Error: Service check command ... not defined anywhere!
- About NAT MAQUERADE