LARTC - Jul 2005 - Losing Packets after a DNAT in prerouting

I''m trying to setup some DNAT and the packets seem to be disappearing
after
the PREROUTING step. The packets are coming in eth2 (both LOG targets in
iptables and tcpdump confirm this). They are then DNATed to an IP that
should cause them to go out eth3. However I never see them go out that
interface. I have tried putting LOG rules into the FORWARD chain with no
success. I''m pretty sure the packet isn''t hitting a DROP rule
as all my DROP
rules have a LOG rule directly in front of them. Any idea how to track down
the missing packets?

----------------
Thanks
Jefferson Cowart
Jeff@cowart.net

Can u attach ur Rules file..

thanks
 pramod

Sorry this took so long. In any case I''ve included all the parts of my 
rules file that I think are relevent below. Let me know if there is 
anything else needed.

When I send packets to 134.173.95.144 I see them appear in the tcpdump 
on the incoming interface (eth2). I also see them in my kernel log from 
the log entry in the prerouting chain. I however do not see them in my 
forward chain and they don''t actually make it to 192.168.5.9.
(I''ve
tried adding logging rules there, but the packets don''t appear. All my 
drop rules are preceded by a log step.)

Firewall Rules
=====Chain PREROUTING (policy ACCEPT 13M packets, 2207M bytes)
  pkts bytes target     prot opt in     out     source 
destination
     3   144 LOG        tcp  --  eth2   *       134.173.64.0/19 
134.173.95.144      tcp dpt:3389 LOG flags 0 level 4
     3   144 DNAT       tcp  --  eth2   *       134.173.64.0/19 
134.173.95.144      tcp dpt:3389 to:192.168.5.9:3389

Chain FORWARD (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
     0     0 ACCEPT     tcp  --  eth2   eth3    134.173.64.0/19 
192.168.5.9         tcp dpt:3389


Routing Rules
====# ip rule
0:      from all lookup local
200:    from 134.173.69.154/31 lookup 200
201:    from 134.173.91.144/30 lookup 201
202:    from 134.173.95.144/30 lookup 202
203:    from 192.168.5.128/25 lookup 203
204:    from 192.168.5.0/25 lookup 204
250:    from all lookup 250

# ip route show table 250
192.168.5.0/24 dev eth3  scope link
134.173.68.0/23 dev eth0  scope link
134.173.92.0/22 dev eth2  scope link
134.173.88.0/22 dev eth1  scope link
default via 134.173.69.254 dev eth0



pramod wrote:
> Can u attach ur Rules file..
> 
> thanks
> pramod
>

Did u do this

cat /proc/sys/net/ipv4/conf/all/forwarding 
the output should be 1
Also
cat /proc/sys/net/ipv4/conf/all/arp_filter
this should also be 1

thanks 
  pramod

I had already done the first of those. Changing the second didn''t seem
to
fix anything.


----------------
Thanks
Jefferson Cowart
Jeff@cowart.net   
> -----Original Message-----
> From: pramod [mailto:pramod@atheros.com] 
> Sent: Saturday, July 16, 2005 02:24
> To: Jefferson Cowart
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] Losing Packets after a DNAT in prerouting
> 
>  Did u do this
> 
> cat /proc/sys/net/ipv4/conf/all/forwarding 
> the output should be 1
> Also
> cat /proc/sys/net/ipv4/conf/all/arp_filter
> this should also be 1
> 
> thanks 
>   pramod
> 
> 
> 
> 
>

I am sorry
In the second option i did a mistake
Do the following things...
1) Restore the arp_filter to default..
2) Set rp_filter to 0 (zero)

thanks
 pramod

Wel that helped, but I''m still having problems.

Here is what is happening now:

I send a packet from 134.173.94.7 to 134.173.95.146 (those devices are on
the same network).
It goes into my router on eth2 and gets DNATed to 192.168.5.9 which is on
eth3.
It gets routed properly and gets to my machine at 192.168.5.9.
My machine at 192.168.5.9 responds.
It goes back into my router on eth3.
My router routes the packet out eth0 and the automatic rule sets to source
address back to 134.173.95.146.

Since the packet has a source address that is on the wrong interface the
packet is dropped. It appears that my problem is that I need it to route the
connection back out the same interface that it came in on. However for new
connections I need it to use eth0 as the default route. 


----------------
Thanks
Jefferson Cowart
Jeff@cowart.net   
> -----Original Message-----
> From: pramod [mailto:pramod@atheros.com] 
> Sent: Sunday, July 17, 2005 22:08
> To: Jefferson Cowart
> Cc: lartc@mailman.ds9a.nl
> Subject: Re: [LARTC] Losing Packets after a DNAT in prerouting
> 
> I am sorry
> In the second option i did a mistake
> Do the following things...
> 1) Restore the arp_filter to default..
> 2) Set rp_filter to 0 (zero)
> 
> thanks
>  pramod
> 
>

Im having issues with altq on netbsd and considering moving to gentoo. 
Does anyone have any success to report compiling altq on the powermac 
604e(v) chipset?

severly questioning :
"Microsoft: Where do you want to go tomorrow?
  Linux: Where do you want to go today?
  BSD: Are you guys coming, or what? "


Robin-David Hammond	KB3IEN
 	www.aresnyc.org.