netfilter buglog - Mar 2007 - [Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From cbettero@ciditech.it  2007-03-04 21:48 MET
-------
This problem prevents AJAX web sites to be hosted on the internal web server,
because many packets will be dropped instead of passing into PREROUTING chain...

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From cbettero@ciditech.it  2007-03-05 19:01 MET
-------
Here is my iptables-save:

eth0=LAN
eth1=WAN
MYWANIP = wan side IP

# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*raw
:PREROUTING ACCEPT [1995956:451770704]
:OUTPUT ACCEPT [1961924:1087077789]
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*nat
:PREROUTING ACCEPT [17802:1194035]
:POSTROUTING ACCEPT [10136:610868]
:OUTPUT ACCEPT [9850:595464]
-A PREROUTING -d $MYWANIP -i eth1 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.0.0.2:80
-A PREROUTING -s ! 10.0.0.2 -d ! 10.0.0.5 -i eth0 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 8082
-A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth1 -j SNAT --to-source $MYWANIP
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*mangle
:PREROUTING ACCEPT [1995985:451773060]
:INPUT ACCEPT [1520898:334872020]
:FORWARD ACCEPT [475076:116900716]
:OUTPUT ACCEPT [1961957:1087081769]
:POSTROUTING ACCEPT [2425267:1203332050]
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [9:2940]
:drop-and-log-it - [0:0]
:drop-and-log-it-inp - [0:0]
:drop-and-log-it-out - [0:0]
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j drop-and-log-it-inp
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 222 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 20 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5900 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5060 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3478 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 5060 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 3478 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 123 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8888 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 2095 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 137 -j DROP
-A FORWARD -p tcp -m tcp --dport 138 -j DROP
-A FORWARD -p tcp -m tcp --dport 139 -j DROP
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -j drop-and-log-it
-A FORWARD -j drop-and-log-it
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s $MYWANIP -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -s 10.0.0.5 -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.255.255.0 -o eth1 -j drop-and-log-it-out
-A OUTPUT -s $MYWANIP -o eth1 -j ACCEPT
-A OUTPUT -j drop-and-log-it-out
-A drop-and-log-it -j LOG --log-prefix "FORWARD CHAIN-> "
-A drop-and-log-it -j DROP
-A drop-and-log-it-inp -j LOG --log-prefix "INPUT CHAIN-> "
-A drop-and-log-it-inp -j DROP
-A drop-and-log-it-out -j LOG --log-prefix "OUTPUT CHAIN-> "
-A drop-and-log-it-out -j DROP
COMMIT
# Completed on Mon Mar 5 17:48:28 2007

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From kaber@trash.net  2007-03-05 19:05 MET -------
DNAT only works on packets that connection tracking regards as valid, so the
most likely reason is that TCP window tracking for some reason thinks they are
not (retransmits, ...).

You can try:

a) echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid

to log these packets and the reason why conntrack thinks they're invalid, or

b) iptables -t mangle -A PREROUTING -m state --state INVALID -j DROP

to drop them.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From kaber@trash.net  2007-03-05 19:05 MET -------
DNAT only works on packets that connection tracking regards as valid, so the
most likely reason is that TCP window tracking for some reason thinks they are
not (retransmits, ...).

You can try:

a) echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid

to log these packets and the reason why conntrack thinks they're invalid, or

b) iptables -t mangle -A PREROUTING -m state --state INVALID -j DROP

to drop them.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From cbettero@ciditech.it  2007-03-05 19:24 MET
-------
(In reply to comment #3)
> DNAT only works on packets that connection tracking regards as valid, so
the
> most likely reason is that TCP window tracking for some reason thinks they
are
> not (retransmits, ...).
> 
> You can try:
> 
> a) echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
> 
> to log these packets and the reason why conntrack thinks they're
invalid, or
> 
> b) iptables -t mangle -A PREROUTING -m state --state INVALID -j DROP
> 
> to drop them.
Hi,

I just do as you told... no invalid packets at all (nothing on console after
your echo cmd, and the counter is still 0)

But my packets randomly continue to hit the INPUT chain :

INPUT CHAIN-> IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00
SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14445 DF
PROTO=TCP SPT=3486 DPT=80 WINDOW=65520 RES=0x00 ACK URGP=0
INPUT CHAIN-> IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00
SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14446 DF
PROTO=TCP SPT=3486 DPT=80 WINDOW=65520 RES=0x00 ACK URGP=0
INPUT CHAIN-> IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00
SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14447 DF
PROTO=TCP SPT=3486 DPT=80 WINDOW=65520 RES=0x00 ACK URGP=0

If I try again (say, hitting RELOAD on remote browser) sometimes I can see the
entire page (a simple login page), sometimes only a part, sometimes nothing at
all...

thanks for the help...

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From kaber@trash.net  2007-03-05 19:29 MET -------
(In reply to comment #4)
> I just do as you told... no invalid packets at all (nothing on console
after
> your echo cmd, and the counter is still 0)
Which counter?

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From kaber@trash.net  2007-03-05 19:29 MET -------
(In reply to comment #4)
> I just do as you told... no invalid packets at all (nothing on console
after
> your echo cmd, and the counter is still 0)
Which counter?

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From cbettero@ciditech.it  2007-03-05 19:32 MET
-------
Sorry... you are right!

I tell netfilter to LOG INVALID packets, and this is the result:

IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00 SRC=62.11.25.241
DST=--EXTIP-- LEN=40 TOS=0x00 PREC=0x00 TTL=114 ID=15151 DF PROTO=TCP SPT=3486
DPT=80 WINDOW=65520 RES=0x00 ACK FIN URGP=0

how can it be ? If I connect the web server directly on wan side, all works
perfectly !

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From kaber@trash.net  2007-03-05 19:39 MET -------
Well, it might be a retransmit, an overly delayed ACK, ...

Valid packets that haven't been seen yet should not be marked INVALID, so
just
dropping the packets should make things behave fine.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From kaber@trash.net  2007-03-05 19:39 MET -------
Well, it might be a retransmit, an overly delayed ACK, ...

Valid packets that haven't been seen yet should not be marked INVALID, so
just
dropping the packets should make things behave fine.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From cbettero@ciditech.it  2007-03-05 19:47 MET
-------
After inserting your DROP statement, this log appears to my console exactly when
packets get dropped:

Message from syslogd@flashbox at Mon Mar  5 19:52:46 2007 ...
flashbox kernel: nf_ct_tcp: ACK is over the upper bound (ACKed data not seen
yet) IN= OUT= SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114
ID=16414 DF PROTO=TCP SPT=3520 DPT=80 SEQ=94450082 ACK=1954097395 WINDOW=65520
RES=0x00 ACK URGP=0 OPT (0101050A7A1B86957A1B906D)

but the problem still remains: the web site doesn't behave correctly...

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From cbettero@ciditech.it  2007-03-07 09:58 MET
-------
I tryed with
echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal

but nothing changes. The problem is described also by
http://www.mail-archive.com/debian-kernel@lists.debian.org/msg24805.html

It deals with NFS, but I think it's the same problem.
How can I fix this ?


-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552


netfilter@linuxace.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |netfilter@linuxace.com




------- Additional Comments From netfilter@linuxace.com  2007-03-08 04:16 MET
-------
Please provide output of "tcpdump -Snn port 80" plus the output of
your console
logging using the DROP statement during one of the failed attempts.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552


netfilter@linuxace.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |netfilter@linuxace.com




------- Additional Comments From netfilter@linuxace.com  2007-03-08 04:16 MET
-------
Please provide output of "tcpdump -Snn port 80" plus the output of
your console
logging using the DROP statement during one of the failed attempts.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.