Why would certain packets not reach nat PREROUTING chain?

Adam Rosi-Kessel adam at rosi-kessel.org
Mon Nov 14 16:09:37 CET 2005

Jozsef Kadlecsik wrote:
>>   - do not show up in /proc/net/ip_conntrack. There in fact are no
>>     inbound entries at all in /proc/net/ip_conntrack for the IP address of the
>>     remote server or for any traffic on port 500 at all.
> Double-check it ;-).

Okay--would it be sufficient to grep on port 500? conntrack tracks by port,
right? So as long as there are *no* entries in ip_conntrack for port 500 at
any point while I'm trying to make this connection, doesn't it mean that
conntrack isn't handling the packets?

>> I even added a raw table and a NOTRACK destination to packets travelling
>> on port 500 to every chain in the raw table. Still, the packets do not
>> show up in nat PREROUTING.
> If you add a NOTRACK rule for the packets in the raw table, then conntrack
> will skip those packets and in consequence NAT will skip them as well: NAT
> is built on top of conntrack.

Ah, okay, I didn't understand that.

>> Any suggestions for how to figure out why they're not getting to nat
>> PREROUTING?  Or are they perhaps being tracked in a way that I am not
>> noticing?
> Remove the NOTRACK rules from the raw table. Double check the mangle table
> for possible matching DROP targets, including the default policies. Do the
> same with the nat table as well.

The NOTRACK rules were just one test--I am not using them generally. So,
yes, they are removed.

As far as drop targets: for testing purposes, I am clearing all of the
tables of all rules, setting the default policy for all rules as ACCEPT, and
then just trying to see these inbound packets in the nat PREROUTING table.
So I am certain they are not being DROPped along the way.

The simplest possible test involves only one or two rules--SNAT'ing outbound
packets to the WAN IP, and then (attempting to) DNAT inbound packets on port
500 to the LAN IP of the proper machine. But because the inbound packets
don't enter the nat table, they never get DNAT'ed; and they are also not
routed to the proper machine with conntrack either.

I should also mention that all other NAT stuff works fine with this setup,
including FTP (passive and active), web browsing, etc..  I am also able to
DNAT inbound ssh connections to another internal machine.  It's only these
inbound udp port 500 that are somehow not entering the nat table or showing
up anywhere other than in mangle PREROUTING.
Adam Rosi-Kessel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : /pipermail/netfilter/attachments/20051114/2e94d5db/signature.pgp

More information about the netfilter mailing list