bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-04 21:48 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From cbettero@ciditech.it 2007-03-04 21:48 MET ------- This problem prevents AJAX web sites to be hosted on the internal web server, because many packets will be dropped instead of passing into PREROUTING chain... -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-05 19:01 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From cbettero@ciditech.it 2007-03-05 19:01 MET ------- Here is my iptables-save: eth0=LAN eth1=WAN MYWANIP = wan side IP # Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007 *raw :PREROUTING ACCEPT [1995956:451770704] :OUTPUT ACCEPT [1961924:1087077789] COMMIT # Completed on Mon Mar 5 17:48:28 2007 # Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007 *nat :PREROUTING ACCEPT [17802:1194035] :POSTROUTING ACCEPT [10136:610868] :OUTPUT ACCEPT [9850:595464] -A PREROUTING -d $MYWANIP -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80 -A PREROUTING -s ! 10.0.0.2 -d ! 10.0.0.5 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082 -A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth1 -j SNAT --to-source $MYWANIP COMMIT # Completed on Mon Mar 5 17:48:28 2007 # Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007 *mangle :PREROUTING ACCEPT [1995985:451773060] :INPUT ACCEPT [1520898:334872020] :FORWARD ACCEPT [475076:116900716] :OUTPUT ACCEPT [1961957:1087081769] :POSTROUTING ACCEPT [2425267:1203332050] COMMIT # Completed on Mon Mar 5 17:48:28 2007 # Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [9:2940] :drop-and-log-it - [0:0] :drop-and-log-it-inp - [0:0] :drop-and-log-it-out - [0:0] -A INPUT -p tcp -m tcp --dport 137 -j DROP -A INPUT -p tcp -m tcp --dport 138 -j DROP -A INPUT -p udp -m udp --dport 137 -j DROP -A INPUT -p udp -m udp --dport 138 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -s 10.0.0.0/255.255.255.0 -i eth0 -j ACCEPT -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j drop-and-log-it-inp -A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -i tun+ -j ACCEPT -A FORWARD -o tun+ -j ACCEPT ACCEPT -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8080 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 222 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 20 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5900 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5060 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3478 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 5060 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 3478 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 465 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 123 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 123 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3389 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8888 -j ACCEPT -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 2095 -j ACCEPT -A FORWARD -p tcp -m tcp --dport 137 -j DROP -A FORWARD -p tcp -m tcp --dport 138 -j DROP -A FORWARD -p tcp -m tcp --dport 139 -j DROP -A FORWARD -p tcp -m tcp --dport 445 -j DROP -A FORWARD -j drop-and-log-it -A FORWARD -j drop-and-log-it -A OUTPUT -o lo -j ACCEPT -A OUTPUT -s $MYWANIP -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT -A OUTPUT -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -s 10.0.0.5 -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -d 10.0.0.0/255.255.255.0 -o eth1 -j drop-and-log-it-out -A OUTPUT -s $MYWANIP -o eth1 -j ACCEPT -A OUTPUT -j drop-and-log-it-out -A drop-and-log-it -j LOG --log-prefix "FORWARD CHAIN-> " -A drop-and-log-it -j DROP -A drop-and-log-it-inp -j LOG --log-prefix "INPUT CHAIN-> " -A drop-and-log-it-inp -j DROP -A drop-and-log-it-out -j LOG --log-prefix "OUTPUT CHAIN-> " -A drop-and-log-it-out -j DROP COMMIT # Completed on Mon Mar 5 17:48:28 2007 -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-05 19:05 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From kaber@trash.net 2007-03-05 19:05 MET ------- DNAT only works on packets that connection tracking regards as valid, so the most likely reason is that TCP window tracking for some reason thinks they are not (retransmits, ...). You can try: a) echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid to log these packets and the reason why conntrack thinks they're invalid, or b) iptables -t mangle -A PREROUTING -m state --state INVALID -j DROP to drop them. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-05 19:05 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From kaber@trash.net 2007-03-05 19:05 MET ------- DNAT only works on packets that connection tracking regards as valid, so the most likely reason is that TCP window tracking for some reason thinks they are not (retransmits, ...). You can try: a) echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid to log these packets and the reason why conntrack thinks they're invalid, or b) iptables -t mangle -A PREROUTING -m state --state INVALID -j DROP to drop them. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-05 19:24 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From cbettero@ciditech.it 2007-03-05 19:24 MET ------- (In reply to comment #3)> DNAT only works on packets that connection tracking regards as valid, so the > most likely reason is that TCP window tracking for some reason thinks they are > not (retransmits, ...). > > You can try: > > a) echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid > > to log these packets and the reason why conntrack thinks they're invalid, or > > b) iptables -t mangle -A PREROUTING -m state --state INVALID -j DROP > > to drop them.Hi, I just do as you told... no invalid packets at all (nothing on console after your echo cmd, and the counter is still 0) But my packets randomly continue to hit the INPUT chain : INPUT CHAIN-> IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00 SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14445 DF PROTO=TCP SPT=3486 DPT=80 WINDOW=65520 RES=0x00 ACK URGP=0 INPUT CHAIN-> IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00 SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14446 DF PROTO=TCP SPT=3486 DPT=80 WINDOW=65520 RES=0x00 ACK URGP=0 INPUT CHAIN-> IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00 SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14447 DF PROTO=TCP SPT=3486 DPT=80 WINDOW=65520 RES=0x00 ACK URGP=0 If I try again (say, hitting RELOAD on remote browser) sometimes I can see the entire page (a simple login page), sometimes only a part, sometimes nothing at all... thanks for the help... -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-05 19:29 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From kaber@trash.net 2007-03-05 19:29 MET ------- (In reply to comment #4)> I just do as you told... no invalid packets at all (nothing on console after > your echo cmd, and the counter is still 0)Which counter? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-05 19:29 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From kaber@trash.net 2007-03-05 19:29 MET ------- (In reply to comment #4)> I just do as you told... no invalid packets at all (nothing on console after > your echo cmd, and the counter is still 0)Which counter? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-05 19:32 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From cbettero@ciditech.it 2007-03-05 19:32 MET ------- Sorry... you are right! I tell netfilter to LOG INVALID packets, and this is the result: IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00 SRC=62.11.25.241 DST=--EXTIP-- LEN=40 TOS=0x00 PREC=0x00 TTL=114 ID=15151 DF PROTO=TCP SPT=3486 DPT=80 WINDOW=65520 RES=0x00 ACK FIN URGP=0 how can it be ? If I connect the web server directly on wan side, all works perfectly ! -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-05 19:39 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From kaber@trash.net 2007-03-05 19:39 MET ------- Well, it might be a retransmit, an overly delayed ACK, ... Valid packets that haven't been seen yet should not be marked INVALID, so just dropping the packets should make things behave fine. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-05 19:39 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From kaber@trash.net 2007-03-05 19:39 MET ------- Well, it might be a retransmit, an overly delayed ACK, ... Valid packets that haven't been seen yet should not be marked INVALID, so just dropping the packets should make things behave fine. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-05 19:47 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From cbettero@ciditech.it 2007-03-05 19:47 MET ------- After inserting your DROP statement, this log appears to my console exactly when packets get dropped: Message from syslogd@flashbox at Mon Mar 5 19:52:46 2007 ... flashbox kernel: nf_ct_tcp: ACK is over the upper bound (ACKed data not seen yet) IN= OUT= SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=16414 DF PROTO=TCP SPT=3520 DPT=80 SEQ=94450082 ACK=1954097395 WINDOW=65520 RES=0x00 ACK URGP=0 OPT (0101050A7A1B86957A1B906D) but the problem still remains: the web site doesn't behave correctly... -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-07 09:58 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 ------- Additional Comments From cbettero@ciditech.it 2007-03-07 09:58 MET ------- I tryed with echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal but nothing changes. The problem is described also by http://www.mail-archive.com/debian-kernel@lists.debian.org/msg24805.html It deals with NFS, but I think it's the same problem. How can I fix this ? -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-08 04:16 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter@linuxace.com ------- Additional Comments From netfilter@linuxace.com 2007-03-08 04:16 MET ------- Please provide output of "tcpdump -Snn port 80" plus the output of your console logging using the DROP statement during one of the failed attempts. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.
bugzilla-daemon@bugzilla.netfilter.org
2007-Mar-08 04:16 UTC
[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552 netfilter@linuxace.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter@linuxace.com ------- Additional Comments From netfilter@linuxace.com 2007-03-08 04:16 MET ------- Please provide output of "tcpdump -Snn port 80" plus the output of your console logging using the DROP statement during one of the failed attempts. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- [Bug 552] New: Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!
- [Bug 498] RTP packets are not hitting NAT table
- [Bug 429] -j REDIRECT does not appear to work correctly
- [Bug 835] New: protocol without option is failing
- [Bug 443] 2.6 kernel failing in NAT with significant outbound traffic