DNATed packet not hitting FORWARD chain
newsjn at dpmg.com
Tue Nov 23 17:00:46 CET 2004
> James wrote:
> >I'm having some trouble getting DNAT to work properly. I have a gateway
> >machine that has two different connections to the Internet, on eth1 and
> >eth2. I'm trying to allow inbound port 1723 to be forwarded to an
> >PPTP server through both interfaces. It works on eth2, but not eth1.
> >Here's what I've got:
> I would try to check if packets arrives on .165 by tcpdump on this host.
> just to see if DNATTING and FORWARDING is done correctly, and it should
> be based on rules u showed us.
Packets don't arrive on .165. They don't even hit the FORWARD chain, they
disappear somewhere between nat PREROUTING and filter FORWARD.
> Then i would ask how do you deal with routing packets on your gw. I
> mean, if u receive the connection on eth2 and you DNAT and forward to
> .167 , the returning packets from .167 should be routed to the eth2 and
> exit the gw from that interface. The same for eth1 and .165
> What about you routing settings on the gw? maybe u use eth2 as default
> route interface and also the packets that come back from .165 exits and
> are routed by eth2. this way you'll never get the SNAT rule associated
> to the previous DNAT rule matched and applied .
Well, that was it. I added a routing rule to route packets from .165 out
eth1, and suddenly packets are making it to the FORWARD chain.
I guess that the Linux routing decision checks the return path for the
packet as well, and drops it if there isn't one. Since there wasn't a
return route, the packet was dropped between nat PREROUTING and filter
> BTW this is just an idea ;)
Thanks, it was a good idea.
More information about the netfilter