[Bug 71] New: dnat breaks connection tracking?
Sat, 29 Mar 2003 21:07:54 +0100
Summary: dnat breaks connection tracking?
OS/Version: Debian GNU/Linux
Component: connection tracking
internet -> (24.x.x.x) upstream nat (192.168.1.1) -> (192.168.1.2) linux box
the upstream nat is setup to forward all unhandled incoming packets to the linux
box; unfortunately it handle per protocol translations and so the lan address of
the linux box has been leaking out. My solution was to add an extra nat layer so
the linux box could think it has a 24.x.x.x ip address and thus do the required
internet -> (24.x.x.x) upstream nat (192.168.1.1) -> [(192.168.1.2) ->
(24.x.x.x) linux box]
ifconfig eth0:0 24.x.x.x
iptables -t nat -A PREROUTING -p tcp -s \! 192.168.1.0/24 -d 192.168.1.2 -j DNAT
default via 192.168.1.1 dev eth0 src 24.x.x.x (yes, the upstream nat is
So far, so good. The translations appear to be working fine and the linux box
thinks it has a 24.x.x.x ip address.
external client y.y.y.y tries to connect to ftp (passive mode)
ip conntrack sets up a related y.y.y.y -> 24.x.x.x:32782
packet comes in 192.168.1.2, hits the DNAT rule and is translated to 24.x.x.x
resulting packet mysteriously misses the related rule
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.