[Bug 554] Packet illegaly bypassing SNAT

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Fri Mar 16 06:49:13 CET 2007


https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=554





------- Additional Comments From kaber at trash.net  2007-03-16 06:49 MET -------
(In reply to comment #2)
> (In reply to comment #1)
> > Most likely these packets are considered invalid by connection tracking and
> > therefore not handled by NAT. Try this:
> > 
> > iptables -t mangle -A POSTROUTING -m state --state INVALID -j DROP
> 
> I tried that and it seems to be a workaround for the problem. But it does not
> solve it.

Well, I'm not so sure its a problem at all, nmap _does_ send invalid packets.
2.6.8/2.6.9 is about the time we introduced TCP window tracking, which is
probably the reason why it worked before. To find out why it thinks the packets
are invalid, do:

modprobe ipt_LOG
echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid

> The question is, why these packets are considered INVALID as in earlier kernels
> they are not. Also if i put the staterule from above in the nat-table prior to
> the SNAT-rule, it does not match.
> 
> I observed the following interesting behaviour:
> 
>         I set the timeout for the conntrack entry down to 60s and opened a
>         telnetconnection to an outside ftp. Then I typed in nothing and waited
>         for the timeout. After it expired I reset the connection. That packet
>         made it unNATed through iptables. In earlier kernelversions a new entry
>         in the conntracktable was spawned.
>         Now the receiving server has no chance of ACKing the action, cause only
>         the internal IP is seen.

If you have connection pickup enabled it should create a new connection.

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.



More information about the netfilter-buglog mailing list