thr3ads.net - netfilter buglog - [Bug 850] New: DNAT applied even after deleting the IP Tables DNAT Rule [Sep 2013]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at netfilter.org

2013-Sep-10 06:11 UTC

[Bug 850] New: DNAT applied even after deleting the IP Tables DNAT Rule

https://bugzilla.netfilter.org/show_bug.cgi?id=850

           Summary: DNAT applied even after deleting the IP Tables DNAT
                    Rule
           Product: iptables
           Version: 1.4.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: b.dathraj at gmail.com
   Estimated Hours: 0.0


Hi,

I see an issue with DNAT Rules of IP Tables. Even after the Rule is deleted the
DNAT happens. Below is the description for the same.


Topology:
---------
SD-1-eth1 --------- ge6-DUT-ge46 ------- eth1-SD-2

DUT:
-----
ge6: IP - 2.2.2.5 (INISDE Interface)
ge46: IP - 192.168.10.5 (OUTSIDE Interface)

SD-1:
-----
eth1: 2.2.2.2
route: 192.168.10.0/24 via 2.2.2.5

SD-2:
-----
eth1: 192.168.10.2
route: 2.2.2.0/24 via 192.168.10.5

NAT Configuration:
------------------
"iptables -t nat -A POSTROUTING -j SNAT -s 2.2.2.2/32 --to-source
192.168.10.4-192.168.10.4 -o ge46"

"iptables -t nat -A PREROUTING -j DNAT -d 192.168.10.4/32 --to-destination
2.2.2.2-2.2.2.2 -i ge6"

As  per above rules Source address of the packets coming from SD-1 is changed
to 192.168.10.4 and the Destination address of the packets coming from SD-2 is
changed to 2.2.2.2

We have tested this using SSH session from SD-1 to SD-2. Till this point
everything (SNAT & DNAT) is fine.

Issue:
------
Now we unconfigure DNAT rule using "iptables -t nat -D PREROUTING -j DNAT
-d
192.168.10.4/32 --to-destination 2.2.2.2-2.2.2.2 -i ge6". Here the SSH
session
should not establish as the DNAT rule is deleted. But we see that the
Destination address of the packets coming from SD-2 is changed from
192.168.10.4 to 2.2.2.2 from 192.168.10.4.  This happens only if the ARP entry
for "192.168.10.4" is present in DUT-2. If the ARP entry is cleared
manually/aged-out then the replies from SD-2 will not be aware of the
destination and there will be no session established.

Please let me know if we have any know issues on this or is it expected. Please
note that SNAT Rule is still present while only DNAT Rule is deleted.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

bugzilla-daemon at netfilter.org

2013-Sep-10 15:40 UTC

head link

[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule

https://bugzilla.netfilter.org/show_bug.cgi?id=850

Phil Oester <netfilter at linuxace.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |netfilter at linuxace.com

--- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-09-10
17:40:59 CEST ---
You do realize that until the conntrack expires, NAT will still be applied,
right?  Have you verified that the conntrack entry with NAT has expired?  Try
"grep 2.2.2.2 /proc/net/nf_conntrack" (or use the conntrack tool if
you
prefer).  

Also:  why are you listing the same IP twice here:

    --to-destination 2.2.2.2-2.2.2.2

only need it once unless you have a range of IPs.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

bugzilla-daemon at netfilter.org

2013-Sep-12 07:14 UTC

head link

[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule

https://bugzilla.netfilter.org/show_bug.cgi?id=850

--- Comment #2 from Dath Raj <b.dathraj at gmail.com> 2013-09-12 09:14:55
CEST ---
Hi Phil,

Thanks for the reply. I just had idea that a cache is maintained by NAT but I
did not know the exact location/details. I have seen that the entry for which
DNAT was applied still present in "/proc/net/nf_conntrack". 

Can you please provide any information on when this entry gets expired? Is this
timeout configurable?

Thanks,
Dath Raj

(In reply to comment #1)> You do realize that until the conntrack expires, NAT will still be applied,
> right?  Have you verified that the conntrack entry with NAT has expired? 
Try
> "grep 2.2.2.2 /proc/net/nf_conntrack" (or use the conntrack tool
if you
> prefer).  
> 
> Also:  why are you listing the same IP twice here:
> 
>     --to-destination 2.2.2.2-2.2.2.2
> 
> only need it once unless you have a range of IPs.
-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

bugzilla-daemon at netfilter.org

2013-Sep-12 08:51 UTC

head link

[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule

https://bugzilla.netfilter.org/show_bug.cgi?id=850

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |pablo at netfilter.org
         Resolution|                            |FIXED

--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-09-12
10:51:38 CEST ---
(In reply to comment #2)> Hi Phil,
> 
> Thanks for the reply. I just had idea that a cache is maintained by NAT but
I
> did not know the exact location/details. I have seen that the entry for
which
> DNAT was applied still present in "/proc/net/nf_conntrack". 
> 
> Can you please provide any information on when this entry gets expired? Is
this
> timeout configurable?
See this:

http://lxr.linux.no/linux+v3.11/Documentation/networking/nf_conntrack-sysctl.txt
http://conntrack-tools.netfilter.org/manual.html

Please, user questions should be asked via the netfilter users mailing list:

http://www.netfilter.org/mailinglists.html#ml-user

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

bugzilla-daemon at netfilter.org

2013-Sep-12 08:52 UTC

head link

[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule

https://bugzilla.netfilter.org/show_bug.cgi?id=850

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |INVALID

--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-09-12
10:52:40 CEST ---
Closing

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

Reasonably Related Threads

Search for more reasonably related threads

netfilter buglog - Sep 2013 - [Bug 850] New: DNAT applied even after deleting the IP Tables DNAT Rule

[Bug 850] New: DNAT applied even after deleting the IP Tables DNAT Rule

[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule

[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule

[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule

[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule

Reasonably Related Threads