bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-21 19:57 UTC
[Bug 452] New: DNAT to internal network don't work with source routing and 2 uplinks
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=452
Summary: DNAT to internal network don't work with source routing
and 2 uplinks
Product: netfilter/iptables
Version: linux-2.6.x
Platform: i386
OS/Version: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P2
Component: NAT
AssignedTo: laforge@netfilter.org
ReportedBy: mzurakowski-bin@data.pl
System: Debian Sarge
Kernel: 2.6.8-2-386 (from Debian)
Add-Paches: No
--------------------------------------------------------------------------
I have gateway with 3 interfaces:
eth0 eth1
| |
---------------
| gw |
---------------
|
eth2
eth0: Uplink to my ISP1 (10.0.0.1/24, gw: 10.0.0.2)
eth1: Uplink to my ISP2 (10.0.1.1/24, gw: 10.0.1.2)
eth2: My internal network (10.0.2.1/24)
Simple source routing:
/sbin/ip rule add from 10.0.0.1 table TABLE1
/sbin/ip route add 10.0.0.0/29 dev eth0 src 10.0.0.1 table TABLE1
/sbin/ip route add default via 10.0.0.2 table TABLE1
/sbin/route add default gw 10.0.0.2 metric 0
/sbin/ip rule add from 10.0.1.1 table TABLE2
/sbin/ip route add 10.0.1.0/29 dev eth1 src 10.0.1.1 table TABLE2
/sbin/ip route add default via 10.0.1.2 table TABLE2
/sbin/route add default gw 10.0.1.2 metric 5
If I setup DNAT like:
-A PREROUTING -i eth0 -m tcp -p tcp --dport 25 -j DNAT --to 10.0.2.133
-A PREROUTING -i eth1 -m tcp -p tcp --dport 25 -j DNAT --to 10.0.2.133
It will only work If packet will come in from default routing device - eth0. If
I change metric of default gw on eth0 from 0 to 6 this DNAT rule will work only
from eth1 (lower metric). If I remove both default gw, DNAT rules are not
working at all.
I'noticed that DNAT rule is firing - counter on this rule is increasing, but
this SYN packet is never reaching FORWARD chains in filter table. It's just
disappears. There is no trace of this connection in ip_conntrack.
Marcin Z
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-21 19:57 UTC
[Bug 452] New: DNAT to internal network don't work with source routing and 2 uplinks
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=452
Summary: DNAT to internal network don't work with source routing
and 2 uplinks
Product: netfilter/iptables
Version: linux-2.6.x
Platform: i386
OS/Version: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P2
Component: NAT
AssignedTo: laforge@netfilter.org
ReportedBy: mzurakowski-bin@data.pl
System: Debian Sarge
Kernel: 2.6.8-2-386 (from Debian)
Add-Paches: No
--------------------------------------------------------------------------
I have gateway with 3 interfaces:
eth0 eth1
| |
---------------
| gw |
---------------
|
eth2
eth0: Uplink to my ISP1 (10.0.0.1/24, gw: 10.0.0.2)
eth1: Uplink to my ISP2 (10.0.1.1/24, gw: 10.0.1.2)
eth2: My internal network (10.0.2.1/24)
Simple source routing:
/sbin/ip rule add from 10.0.0.1 table TABLE1
/sbin/ip route add 10.0.0.0/29 dev eth0 src 10.0.0.1 table TABLE1
/sbin/ip route add default via 10.0.0.2 table TABLE1
/sbin/route add default gw 10.0.0.2 metric 0
/sbin/ip rule add from 10.0.1.1 table TABLE2
/sbin/ip route add 10.0.1.0/29 dev eth1 src 10.0.1.1 table TABLE2
/sbin/ip route add default via 10.0.1.2 table TABLE2
/sbin/route add default gw 10.0.1.2 metric 5
If I setup DNAT like:
-A PREROUTING -i eth0 -m tcp -p tcp --dport 25 -j DNAT --to 10.0.2.133
-A PREROUTING -i eth1 -m tcp -p tcp --dport 25 -j DNAT --to 10.0.2.133
It will only work If packet will come in from default routing device - eth0. If
I change metric of default gw on eth0 from 0 to 6 this DNAT rule will work only
from eth1 (lower metric). If I remove both default gw, DNAT rules are not
working at all.
I'noticed that DNAT rule is firing - counter on this rule is increasing, but
this SYN packet is never reaching FORWARD chains in filter table. It's just
disappears. There is no trace of this connection in ip_conntrack.
Marcin Z
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.