bugzilla-daemon at netfilter.org
2013-Sep-10 06:11 UTC
[Bug 850] New: DNAT applied even after deleting the IP Tables DNAT Rule
https://bugzilla.netfilter.org/show_bug.cgi?id=850
Summary: DNAT applied even after deleting the IP Tables DNAT
Rule
Product: iptables
Version: 1.4.x
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P5
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: b.dathraj at gmail.com
Estimated Hours: 0.0
Hi,
I see an issue with DNAT Rules of IP Tables. Even after the Rule is deleted the
DNAT happens. Below is the description for the same.
Topology:
---------
SD-1-eth1 --------- ge6-DUT-ge46 ------- eth1-SD-2
DUT:
-----
ge6: IP - 2.2.2.5 (INISDE Interface)
ge46: IP - 192.168.10.5 (OUTSIDE Interface)
SD-1:
-----
eth1: 2.2.2.2
route: 192.168.10.0/24 via 2.2.2.5
SD-2:
-----
eth1: 192.168.10.2
route: 2.2.2.0/24 via 192.168.10.5
NAT Configuration:
------------------
"iptables -t nat -A POSTROUTING -j SNAT -s 2.2.2.2/32 --to-source
192.168.10.4-192.168.10.4 -o ge46"
"iptables -t nat -A PREROUTING -j DNAT -d 192.168.10.4/32 --to-destination
2.2.2.2-2.2.2.2 -i ge6"
As per above rules Source address of the packets coming from SD-1 is changed
to 192.168.10.4 and the Destination address of the packets coming from SD-2 is
changed to 2.2.2.2
We have tested this using SSH session from SD-1 to SD-2. Till this point
everything (SNAT & DNAT) is fine.
Issue:
------
Now we unconfigure DNAT rule using "iptables -t nat -D PREROUTING -j DNAT
-d
192.168.10.4/32 --to-destination 2.2.2.2-2.2.2.2 -i ge6". Here the SSH
session
should not establish as the DNAT rule is deleted. But we see that the
Destination address of the packets coming from SD-2 is changed from
192.168.10.4 to 2.2.2.2 from 192.168.10.4. This happens only if the ARP entry
for "192.168.10.4" is present in DUT-2. If the ARP entry is cleared
manually/aged-out then the replies from SD-2 will not be aware of the
destination and there will be no session established.
Please let me know if we have any know issues on this or is it expected. Please
note that SNAT Rule is still present while only DNAT Rule is deleted.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-10 15:40 UTC
[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule
https://bugzilla.netfilter.org/show_bug.cgi?id=850
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |netfilter at linuxace.com
--- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-09-10
17:40:59 CEST ---
You do realize that until the conntrack expires, NAT will still be applied,
right? Have you verified that the conntrack entry with NAT has expired? Try
"grep 2.2.2.2 /proc/net/nf_conntrack" (or use the conntrack tool if
you
prefer).
Also: why are you listing the same IP twice here:
--to-destination 2.2.2.2-2.2.2.2
only need it once unless you have a range of IPs.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-12 07:14 UTC
[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule
https://bugzilla.netfilter.org/show_bug.cgi?id=850 --- Comment #2 from Dath Raj <b.dathraj at gmail.com> 2013-09-12 09:14:55 CEST --- Hi Phil, Thanks for the reply. I just had idea that a cache is maintained by NAT but I did not know the exact location/details. I have seen that the entry for which DNAT was applied still present in "/proc/net/nf_conntrack". Can you please provide any information on when this entry gets expired? Is this timeout configurable? Thanks, Dath Raj (In reply to comment #1)> You do realize that until the conntrack expires, NAT will still be applied, > right? Have you verified that the conntrack entry with NAT has expired? Try > "grep 2.2.2.2 /proc/net/nf_conntrack" (or use the conntrack tool if you > prefer). > > Also: why are you listing the same IP twice here: > > --to-destination 2.2.2.2-2.2.2.2 > > only need it once unless you have a range of IPs.-- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-12 08:51 UTC
[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule
https://bugzilla.netfilter.org/show_bug.cgi?id=850
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |pablo at netfilter.org
Resolution| |FIXED
--- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-09-12
10:51:38 CEST ---
(In reply to comment #2)> Hi Phil,
>
> Thanks for the reply. I just had idea that a cache is maintained by NAT but
I
> did not know the exact location/details. I have seen that the entry for
which
> DNAT was applied still present in "/proc/net/nf_conntrack".
>
> Can you please provide any information on when this entry gets expired? Is
this
> timeout configurable?
See this:
http://lxr.linux.no/linux+v3.11/Documentation/networking/nf_conntrack-sysctl.txt
http://conntrack-tools.netfilter.org/manual.html
Please, user questions should be asked via the netfilter users mailing list:
http://www.netfilter.org/mailinglists.html#ml-user
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-12 08:52 UTC
[Bug 850] DNAT applied even after deleting the IP Tables DNAT Rule
https://bugzilla.netfilter.org/show_bug.cgi?id=850
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |INVALID
--- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> 2013-09-12
10:52:40 CEST ---
Closing
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.