[Bug 71] New: dnat breaks connection tracking?

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Sat, 29 Mar 2003 21:07:54 +0100


https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=71

           Summary: dnat breaks connection tracking?
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: connection tracking
        AssignedTo: laforge@netfilter.org
        ReportedBy: mbm@alt.org
                CC: netfilter-buglog@lists.netfilter.org


background:

internet -> (24.x.x.x) upstream nat (192.168.1.1) -> (192.168.1.2) linux box

the upstream nat is setup to forward all unhandled incoming packets to the linux
box; unfortunately it handle per protocol translations and so the lan address of
the linux box has been leaking out. My solution was to add an extra nat layer so
the linux box could think it has a 24.x.x.x ip address and thus do the required
protocol translations:

internet -> (24.x.x.x) upstream nat (192.168.1.1) -> [(192.168.1.2) -> 
(24.x.x.x) linux box]

ifconfig eth0:0 24.x.x.x
iptables -t nat -A PREROUTING -p tcp -s \! 192.168.1.0/24 -d 192.168.1.2 -j DNAT
--to-destination 24.x.x.x
default via 192.168.1.1 dev eth0  src 24.x.x.x (yes, the upstream nat is
extremely stupid)

So far, so good. The translations appear to be working fine and the linux box
thinks it has a 24.x.x.x ip address.

The problem:

external client y.y.y.y tries to connect to ftp (passive mode)
ip conntrack sets up a related y.y.y.y -> 24.x.x.x:32782
packet comes in 192.168.1.2, hits the DNAT rule and is translated to 24.x.x.x
resulting packet mysteriously misses the related rule



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.