[Bug 115] New: incorrect "state RELATED,ESTABLISHED" checking with two interfaces
bugzilla-daemon@netfilter.org
bugzilla-daemon@netfilter.org
Fri, 18 Jul 2003 18:03:38 +0200
https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=115
Summary: incorrect "state RELATED,ESTABLISHED" checking with two
interfaces
Product: netfilter/iptables
Version: linux-2.4.x
Platform: i386
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: connection tracking
AssignedTo: laforge@netfilter.org
ReportedBy: agri@desnol.ru
CC: netfilter-buglog@lists.netfilter.org
I have two interfaces to internet, one with real another with virtual ip
default interface is real, but if i force using another interface for pinging,
iptables blocks packets
here is my table
i have eth0 - real interface to internet
eth1 - private network (ip 192.168.0.205)
eth2 - interface to internet with virtual ip 192.168.100.2 (gw 192.168.100.1)
> iptables -vL
agrigw:~ # iptables -vL
Chain INPUT (policy ACCEPT 67930 packets, 16M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
733K 961M ACCEPT all -- eth0 eth1 !192.168.0.0/24
192.168.0.0/24 state RELATED,ESTABLISHED
577K 114M ACCEPT all -- eth1 any 192.168.0.0/24
!192.168.0.0/24
252 99897 ACCEPT all -- eth2 eth1 !192.168.0.0/24
192.168.0.0/24 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 21780 packets, 7461K bytes)
pkts bytes target prot opt in out source destination
> iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 90121 packets, 18M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 22 packets, 1431 bytes)
pkts bytes target prot opt in out source destination
7270 420K MASQUERADE all -- any eth0 192.168.0.0/24
!192.168.0.0/16
2 168 MASQUERADE all -- any eth2 192.168.0.0/24
192.168.100.1
84 4447 MASQUERADE all -- any eth2 192.168.0.0/24
!192.168.0.0/16
Chain OUTPUT (policy ACCEPT 14 packets, 1111 bytes)
pkts bytes target prot opt in out source destination
i'm doing:
> ping www.ru
PING www.ru (194.87.0.50) from 217.150.59.18 : 56(84) bytes of data.
64 bytes from www.ru (194.87.0.50): icmp_seq=1 ttl=55 time=49.393 msec
64 bytes from www.ru (194.87.0.50): icmp_seq=2 ttl=55 time=38.066 msec
all is fine
> ping -I 192.168.100.2 www.ru
PING www.ru (194.87.0.50) from 192.168.100.2 : 56(84) bytes of data.
--- www.ru ping statistics ---
2 packets transmitted, 0 received, 100% loss, time 1015ms
i have a route to 192.168.100.2
80.237.18.0 192.168.100.1 255.255.254.0 UG 0 0 0 eth2
> ping 80.237.18.1
PING 80.237.18.1 (80.237.18.1) from 192.168.100.2 : 56(84) bytes of data.
64 bytes from 80.237.18.1: icmp_seq=1 ttl=61 time=22.365 msec
64 bytes from 80.237.18.1: icmp_seq=2 ttl=61 time=17.523 msec
my full route
> route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
217.150.59.16 0.0.0.0 255.255.255.248 U 0 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
80.237.18.0 192.168.100.1 255.255.254.0 UG 0 0 0 eth2
0.0.0.0 217.150.59.17 0.0.0.0 UG 0 0 0 eth0
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.