bugzilla-daemon at netfilter.org
2017-Mar-10 15:32 UTC
[Bug 1129] New: iptables outgoing SNAT works for a while then stops working completely for a while
https://bugzilla.netfilter.org/show_bug.cgi?id=1129
Bug ID: 1129
Summary: iptables outgoing SNAT works for a while then stops
working completely for a while
Product: netfilter/iptables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ip_conntrack
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: timclarke147 at gmail.com
I have updated to Deabian Jessie and have a firewall that does incoming port
redirection (which works reliably) and outgoing masquerading (SNAT) from
internal IP 192.168.123.0/24 via 62.232.232.211 outside world.
OUtgoing source-nat works fine for a while (overnight) and then during the day
stops working for a few hours, then works again for some time, then stops
working again etc
When NOT working, tcpdump shows the following:
icmp request from 192.168.123.203 to 88.208.252.180 is logged
icmp reply from 88.208.252.180 is logged
icmp reply to 62.232.25.211 is logged
NO icmp reply is forwarded to 192.168.123.203
It would appear that the ping is being SNAT'ed outwards ok but the
connection
is not being preoprly tracked to allow the returning reply packet to be
redirected back to 192.168.123.203
The iptables config is identical to that used an earlier (wheezy) debian
and I have never had any problems with that earlier version.
I note that the new machine has about 2.5% dropped packets on both interfaces,
but this may be a red herring!
tcpdumps and iptables config etc can be supplied on request
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170310/28b04cb7/attachment.html>
Possibly Parallel Threads
- [1129] trunk/wxruby2/swig/classes/Window.i: Add DISOWN typemap for ToolTip so it isn''t double-deleted
- CESA-2007:1129 Important CentOS 4 ia64 autofs5 - security update
- CESA-2007:1129 Important CentOS 4 s390(x) autofs5 - security update
- CEBA-2011:1129 CentOS 5 i386 gdb Update
- CEBA-2011:1129 CentOS 5 x86_64 gdb Update
Wisdom of the Ancients
