[Bug 693] SNAT is failing to maquerade some TCP RST packets

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Wed Jul 4 16:10:56 CEST 2012


Myroslav Opyr <myroslav at quintagroup.com> changed:

           What    |Removed                     |Added
                 CC|                            |myroslav at quintagroup.com
         OS/Version|Ubuntu                      |All

--- Comment #10 from Myroslav Opyr <myroslav at quintagroup.com> 2012-07-04 16:10:55 CEST ---
We're experiencing a bug in Fedora 16 with kernel-3.2.9-2.fc16.x86_64 and
kernel-3.3.4-3.fc16.x86_64. Adding following rule helped get id of packets with
"internal" IP on "external" interface:

$IPTABLES -A FORWARD -i $INTIF -p tcp -m state --state INVALID -j DROP

Additional information for somebody that will be hit by the issue (to be able
to google this comment) follows:

We've been doing Nagios' check_http with --no-body (don't wait for document
body: close socket after receiving headers). The closed socket resulted into
TCP RST packet in response of all http response body payload packets that were
received into closed socket. NAT of these RST packets didn't work due to this
bug. Our server was effectively disabled by Datacenter provider (Hetzner) due
to unroutable packets that our server emitted.

This bug was not present in kernel- from Fedora 8 (that we'd
routed through for the test).

Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

More information about the netfilter-buglog mailing list