[Bug 71] dnat breaks connection tracking?

Mon, 31 Mar 2003 19:29:10 +0200

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=71

------- Additional Comments From mbm@alt.org  2003-03-31 19:29 -------
DNAT:IN=eth0 OUT= MAC=00:90:27:35:b6:13:00:20:78:c5:72:06:08:00 SRC=y.y.y.y
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=46557 DF PROTO=TCP SPT=47097
DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 

conntrack_ftp: RECORDING: y.y.y.y => 24.x.x.x:32774
nat_ftp: Not touching dir REPLY at hook OUTPUT
nat_ftp: Not touching dir REPLY at hook POSTROUTING

DNAT:IN=eth0 OUT= MAC=00:90:27:35:b6:13:00:20:78:c5:72:06:08:00 SRC=y.y.y.y
DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=51693 DF PROTO=TCP SPT=47101
DPT=32774 WINDOW=5840 RES=0x00 SYN URGP=0 

REJECT:IN=eth0 OUT= MAC=00:90:27:35:b6:13:00:20:78:c5:72:06:08:00 SRC=y.y.y.y
DST=24.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=51693 DF PROTO=TCP SPT=47101
DPT=32774 WINDOW=5840 RES=0x00 SYN URGP=0 

. . . 

rehashed:

y.y.y.y connects to 24.x.x.x which is the upstream nat (aka 192.168.1.1)
upstream nat sends the packet to 192.168.1.2 (ftp server)
192.168.1.2 does a dnat translation to make itself 24.x.x.x and keep conntrack happy
conntrack fails to see related connections

why do I do this?
case 1: If I do nothing then the ftp server will think it's192.168.1.2, the
upstream nat will mangle the ip headers to 24.x.x.x but won't address the
problem of the data containing 192.168.1.2.
case 2: If I tell the ftp server to bind to 192.168.1.2 but send out data as if
it were 24.x.x.x I confuse conntrack with 192.168.1.2 != 24.x.x.x

I used to just use case 2 and disable the sanity checks but that gets tedious to
on every kernel upgrade for various protocols, so I came up with the idea of
mapping 192.168.1.2 back to 24.x.x.x to make conntrack happy.

The problem isn't limited to just ftp, I get pretty much the same situation with
irc dcc.

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.