DNATed packet not hitting FORWARD chain

[James]

> James wrote:
> 
> >Hi,
> >
> >I'm having some trouble getting DNAT to work properly.  I have a gateway
> >machine that has two different connections to the Internet, on eth1 and
> >eth2.  I'm trying to allow inbound port 1723 to be forwarded to an
> internal
> >PPTP server through both interfaces.  It works on eth2, but not eth1.
> >Here's what I've got:
> >
> >
> >
> Hi
> I would try to check if packets arrives on .165 by tcpdump on this host.
> just to see if DNATTING and FORWARDING is done correctly, and it should
> be based on rules u showed us.
 
Packets don't arrive on .165.  They don't even hit the FORWARD chain, they
disappear somewhere between nat PREROUTING and filter FORWARD.


> Then i would ask how do you deal with routing packets on your gw. I
> mean, if u receive the connection on eth2 and you DNAT and forward to
> .167 , the returning packets from .167 should be routed to the eth2 and
> exit the gw from that interface. The same for eth1 and .165
> 
> What about you routing settings on the gw? maybe u use eth2 as default
> route interface and also the packets that come back from .165 exits and
> are routed by eth2. this way you'll never get the SNAT rule associated
> to the previous DNAT rule matched and applied .

Well, that was it.  I added a routing rule to route packets from .165 out
eth1, and suddenly packets are making it to the FORWARD chain.

I guess that the Linux routing decision checks the return path for the
packet as well, and drops it if there isn't one.  Since there wasn't a
return route, the packet was dropped between nat PREROUTING and filter
FORWARD.

> 
> BTW this is just an idea ;)
> 
> bye
> primero

Thanks, it was a good idea.