similar to: More on conntrack + NAT + mangle/nat tables

https://bugzilla.netfilter.org/show_bug.cgi?id=1227 Bug ID: 1227 Summary: Current conntrack state isn't considered when evaluating multiple SNAT rules Product: netfilter/iptables Version: unspecified Hardware: All OS: other Status: NEW Severity: enhancement Priority: P5

I have a gentoo 2.6.14 box with 4 nics, LAN/DMZ/PUB1/PUB2 LAN and DMZ have a 1918 /22 each, PUB1 and PUB2 have a /29 each of which 5 ips are assigned. Using the mangle table, I give all packets a mark (according to local policies) in the range 1-10. Using ip rule, i pass marks 1-5 through the pub1 route table, and marks 6-10 through the pub2 routing table. Using the nat table, I SNAT to one

Hi all, I have 2 ISPs on a Linux router and a local network with one Linux server and many windows. The local network is masqueraded. I want to give access to port 25 and 80 of my server from any incoming request (i.e. from my 2 ISP). I have made a DNAT translation, witch work but the outgoing answers are not routed correctly. Of course, the de-SNAT process is done before the routing process. So

Hi, I have a suspicious problem with multiple uplinks configuration. First of all my configuration: 1) kernel 2.6.20.3 2) iptables 1.3.7 3) last iproute (for masked marks) All wan interfaces are bridged (stp disabled) in only one interface (wan0), all lan interfaces are bridged (stp enabled) in only one interface (zlan0). The wan0 bridge is to allow UPnP works. To allow related

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=64 Summary: Conntrack-Table is not cleared on inferface down using target MASQUERADE Product: netfilter/iptables Version: linux-2.4.x Platform: i386 OS/Version: other Status: NEW Severity: normal Priority: P2 Component: NAT

https://bugzilla.netfilter.org/show_bug.cgi?id=851 Summary: IPv6 SNAT target with --random doesn't work Product: netfilter/iptables Version: unspecified Platform: x86_64 OS/Version: All Status: NEW Severity: normal Priority: P5 Component: NAT AssignedTo: netfilter-buglog at lists.netfilter.org

Hi! I get this strange behaviour... I don''t know how some packets get into wrong rules. My rules are those: 0: from all lookup local 50: from all lookup main 201: from 192.168.17.0/28 lookup 201 202: from 192.168.16.0/28 lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default Table main has: 192.168.17.0/28 dev eth2

Hi! I''m still trying to solve the problem, about which I already posted in these lists... I''ve been trying to understand where packet routing and NAT is being done. The schemes are quite clear, when it''s about the _first_ packet of a NAT connection (when it enters the NAT table). But it isn''t that clear about the packets NAT''ed by the connection

Hello, I have the following setup on linux 2.6.32... CentOS 6.x : ipsec tunnel eth0-10.255.3.254/25 - eth1-pub add1 <-> eth1-pub add2 - eth0-10.255.5.254/25 I am trying to SNAT remote private address 10.255.5.128/25 packets when they come out of the ipsec tunnel to make it appear like it was from local address 10.255.3.254. I am doing a source ping from the right side to a device on the

https://bugzilla.netfilter.org/show_bug.cgi?id=1448 Bug ID: 1448 Summary: SNAT/DNAT/Masquerading not working for UDPLite protocol Product: netfilter/iptables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: normal Priority: P5 Component: NAT

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=498 Summary: RTP packets are not hitting NAT table Product: netfilter/iptables Version: linux-2.6.x Platform: All OS/Version: Fedora Status: NEW Severity: major Priority: P2 Component: NAT AssignedTo: laforge@netfilter.org ReportedBy:

Hi, I have a linux system which is router between several subnets (each also a different segment), in total 3 different lans, 2 dmz, and 4 internet connections, my default FORWARD policy is DROP, here is a simplified example of my config with only two lan segments and internet connection: Allow forwarding between lans -A FORWARD -s lan1/mask -j ACCEPT -A FORWARD -d lan1/mask -j ACCEPT -A

Hi guys, Can you take a look at this? :) +-----------+ | | eth1-|- | | -|-eth0---LAN--- | | eth2-|- | | | +-----------+ - eth0 is connected to the LAN having the IP=LAN_IP eth1 is connected to the first ISP having IP=ISP_IP_1 and GW=ISP_GW_1 eth2 is connected to the second ISP having IP=ISP_IP_2 and GW=ISP_GW_2 I need

Try to SNAT the incoming conection too, then your server see only the 200.x.x.x IP for the incoming calls. You have DNAT for redirections, add a postrouting SNAT. I supose that you are DNATing in PREROUTING and you will add a rule (only for example) for SNAT the incoming calls from 200.x.x.x router: iptables -t nat -A POSTROUTING -d <internal server ip> -j MASQUERADE Perhaps

Hello all, I have an asterisk sip/iax peer behind a linux gateway doing nat. I''m using pppoe with a dynamic ip that changes frequently. The problem is when the line drops the sip/iax registrations drop as well, and they don''t register thereafter. When I check the conntrack entries, I noticed the entries still have the old wan ip address and because of keepalive (i''m

Hi, I need some special masq rules to allow internal servers to resolve public IP''s which are loadbalanced by LVS - the rule are: iptables -t nat -A POSTROUTING -m ipvs --vaddr <LVS PUBLIC IP>/32 --vport 80 -j SNAT --to-source <LVS INTERNAL IP> Also I need to enable: echo 1 > /proc/sys/net/ipv4/vs/conntrack Currently I do all this from /etc/shorewall/started - but is

Hi, I´m trying use conntrackd, shorewall and keepalived. Conntrackd (now know as conntrack-tools) is working ok, keepalived too, but i don´t know how to put some iptables rules in shorewall. eth0 is the local area (192.168.0.0/24) eth1 is the net area (192.168.1.0/24) [1] iptables -P FORWARD DROP [2] iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED - j ACCEPT [3] iptables -A

Hi, All Sorry for English But I need new ideas for my problem I have a local network, server with 2 Internet channels Local computers connect to server via VPN. Task: some users go to Internet through first Internet channel other through second. System Suse 9.2, kernel 2.6.8. I read iproute documentaion and configured routes. Ping from server go through 2 channels. ping -I eth_inet1 www.ya.ru -

https://bugzilla.netfilter.org/show_bug.cgi?id=1116 Bug ID: 1116 Summary: Can't create Ipv6 NAT entries with conntrack Product: conntrack-tools Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: conntrack Assignee:

Hello, I''m trying to get my shaper to work, but have only a partial success. Can someone help me with that. My setup unfortunately is not so trivial, but I think some people could have similar one... 1. There is a router connected to the internet line via interface eth0 2. There are users connected to the router via two interfaces : eth1 and wlan0 3. All users are assigned private IP