bugzilla-daemon at bugzilla.netfilter.org
2009-Apr-24 14:38 UTC
[Bug 591] New: NAT REDIRECT target does not always work
http://bugzilla.netfilter.org/show_bug.cgi?id=591 Summary: NAT REDIRECT target does not always work Product: netfilter/iptables Version: unspecified Platform: i386 OS/Version: Debian GNU/Linux Status: NEW Severity: major Priority: P1 Component: NAT AssignedTo: laforge at netfilter.org ReportedBy: lbocseg at yahoo.com.br This happens quite a while and I never understood why.> iptables -t nat -L PREROUTING -nChain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 0.0.0.0/0 !10.183.4.2 tcp dpt:80 redir ports 3128 This rule was created with: iptables -t nat -A PREROUTING -d ! 10.183.4.2 -p tcp --dport www -j REDIRECT --to-port 3128 For loggin purposes: iptables -N droplog iptables -A droplog -j ULOG --ulog-prefix Dropado --ulog-nlgroup 6 After the firewall rules, there is a final one: iptables -A FORWARD -j droplog Transparent proxy is working most of the time, but sometimes this shows on log: Apr 24 10:18:10 proxy: Dropado IN=eth0 OUT=eth1 SRC=10.183.4.37 DST=200.181.75.130 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=53281 DF PROTO=TCP SPT=49771 DPT=80 WINDOW=65535 RES=0x00 ACK RST URGP=0 This should not happen. The package should have been redirect to port 3128 by the the nat rules. The problem is that this happens ramdonly. Most of time the redirection is handled correctly, but rarely some packets are not redirect. That is why it is difficult to debug what is happening. What can I do? My kernel version is 2.6.28.3 compiled from v2.6.28 git tag with patch applied to 2.6.28.3. It also happened with debian kernel package and with v2.6.28 with no patch. I'm not sure if it is platform specific or OS specific or iptables userspace specific, so please forgive any wrongly filled field. I cannot test in other conditions because it is not always reproducible. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at bugzilla.netfilter.org
2009-Apr-27 19:16 UTC
[Bug 591] NAT REDIRECT target does not always work
http://bugzilla.netfilter.org/show_bug.cgi?id=591 jengelh at medozas.de changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|laforge at netfilter.org |kaber at trash.net ------- Comment #1 from jengelh at medozas.de 2009-04-27 21:16 ------- It could be that some packet's skb->nfct points to INVALID, and NAT would skip these. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. You are the assignee for the bug, or are watching the assignee.