bugzilla-daemon@netfilter.org
2003-Mar-29 20:07 UTC
[Bug 71] New: dnat breaks connection tracking?
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=71 Summary: dnat breaks connection tracking? Product: netfilter/iptables Version: linux-2.4.x Platform: i386 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P2 Component: connection tracking AssignedTo: laforge@netfilter.org ReportedBy: mbm@alt.org CC: netfilter-buglog@lists.netfilter.org background: internet -> (24.x.x.x) upstream nat (192.168.1.1) -> (192.168.1.2) linux box the upstream nat is setup to forward all unhandled incoming packets to the linux box; unfortunately it handle per protocol translations and so the lan address of the linux box has been leaking out. My solution was to add an extra nat layer so the linux box could think it has a 24.x.x.x ip address and thus do the required protocol translations: internet -> (24.x.x.x) upstream nat (192.168.1.1) -> [(192.168.1.2) -> (24.x.x.x) linux box] ifconfig eth0:0 24.x.x.x iptables -t nat -A PREROUTING -p tcp -s \! 192.168.1.0/24 -d 192.168.1.2 -j DNAT --to-destination 24.x.x.x default via 192.168.1.1 dev eth0 src 24.x.x.x (yes, the upstream nat is extremely stupid) So far, so good. The translations appear to be working fine and the linux box thinks it has a 24.x.x.x ip address. The problem: external client y.y.y.y tries to connect to ftp (passive mode) ip conntrack sets up a related y.y.y.y -> 24.x.x.x:32782 packet comes in 192.168.1.2, hits the DNAT rule and is translated to 24.x.x.x resulting packet mysteriously misses the related rule ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.