[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Mon Mar 5 19:01:35 CET 2007 

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From cbettero at ciditech.it  2007-03-05 19:01 MET -------
Here is my iptables-save:

eth0=LAN
eth1=WAN
MYWANIP = wan side IP

# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*raw
:PREROUTING ACCEPT [1995956:451770704]
:OUTPUT ACCEPT [1961924:1087077789]
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*nat
:PREROUTING ACCEPT [17802:1194035]
:POSTROUTING ACCEPT [10136:610868]
:OUTPUT ACCEPT [9850:595464]
-A PREROUTING -d $MYWANIP -i eth1 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 10.0.0.2:80
-A PREROUTING -s ! 10.0.0.2 -d ! 10.0.0.5 -i eth0 -p tcp -m tcp --dport 80 -j
REDIRECT --to-ports 8082
-A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth1 -j SNAT --to-source $MYWANIP
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*mangle
:PREROUTING ACCEPT [1995985:451773060]
:INPUT ACCEPT [1520898:334872020]
:FORWARD ACCEPT [475076:116900716]
:OUTPUT ACCEPT [1961957:1087081769]
:POSTROUTING ACCEPT [2425267:1203332050]
COMMIT
# Completed on Mon Mar 5 17:48:28 2007
# Generated by iptables-save v1.3.7 on Mon Mar 5 17:48:28 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [9:2940]
:drop-and-log-it - [0:0]
:drop-and-log-it-inp - [0:0]
:drop-and-log-it-out - [0:0]
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j drop-and-log-it-inp
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 222 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 20 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5900 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 995 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 5060 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3478 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 5060 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 3478 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 465 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 123 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 123 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 8888 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 2095 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 137 -j DROP
-A FORWARD -p tcp -m tcp --dport 138 -j DROP
-A FORWARD -p tcp -m tcp --dport 139 -j DROP
-A FORWARD -p tcp -m tcp --dport 445 -j DROP
-A FORWARD -j drop-and-log-it
-A FORWARD -j drop-and-log-it
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s $MYWANIP -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -s 10.0.0.5 -d 10.0.0.0/255.255.255.0 -o eth0 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.255.255.0 -o eth1 -j drop-and-log-it-out
-A OUTPUT -s $MYWANIP -o eth1 -j ACCEPT
-A OUTPUT -j drop-and-log-it-out
-A drop-and-log-it -j LOG --log-prefix "FORWARD CHAIN-> "
-A drop-and-log-it -j DROP
-A drop-and-log-it-inp -j LOG --log-prefix "INPUT CHAIN-> "
-A drop-and-log-it-inp -j DROP
-A drop-and-log-it-out -j LOG --log-prefix "OUTPUT CHAIN-> "
-A drop-and-log-it-out -j DROP
COMMIT
# Completed on Mon Mar 5 17:48:28 2007

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list