https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=71
Summary: dnat breaks connection tracking?
Product: netfilter/iptables
Version: linux-2.4.x
Platform: i386
OS/Version: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P2
Component: connection tracking
AssignedTo: laforge@netfilter.org
ReportedBy: mbm@alt.org
CC: netfilter-buglog@lists.netfilter.org
background:
internet -> (24.x.x.x) upstream nat (192.168.1.1) -> (192.168.1.2) linux box
the upstream nat is setup to forward all unhandled incoming packets to the linux
box; unfortunately it handle per protocol translations and so the lan address of
the linux box has been leaking out. My solution was to add an extra nat layer so
the linux box could think it has a 24.x.x.x ip address and thus do the required
protocol translations:
internet -> (24.x.x.x) upstream nat (192.168.1.1) -> [(192.168.1.2) ->
(24.x.x.x) linux box]
ifconfig eth0:0 24.x.x.x
iptables -t nat -A PREROUTING -p tcp -s \! 192.168.1.0/24 -d 192.168.1.2 -j DNAT
--to-destination 24.x.x.x
default via 192.168.1.1 dev eth0 src 24.x.x.x (yes, the upstream nat is
extremely stupid)
So far, so good. The translations appear to be working fine and the linux box
thinks it has a 24.x.x.x ip address.
The problem:
external client y.y.y.y tries to connect to ftp (passive mode)
ip conntrack sets up a related y.y.y.y -> 24.x.x.x:32782
packet comes in 192.168.1.2, hits the DNAT rule and is translated to 24.x.x.x
resulting packet mysteriously misses the related rule
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.