[Bug 452] New: DNAT to internal network don't work with source routing and 2 uplinks

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Tue Feb 21 19:57:52 CET 2006 

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=452

           Summary: DNAT to internal network don't work with source routing
                    and 2 uplinks
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: NAT
        AssignedTo: laforge at netfilter.org
        ReportedBy: mzurakowski-bin at data.pl


System: Debian Sarge
Kernel: 2.6.8-2-386 (from Debian)
Add-Paches: No

--------------------------------------------------------------------------
I have gateway with 3 interfaces:

   eth0   eth1
    |      |
  ---------------
  |    gw       |
  ---------------
       |
      eth2

eth0: Uplink to my ISP1 (10.0.0.1/24, gw: 10.0.0.2)
eth1: Uplink to my ISP2 (10.0.1.1/24, gw: 10.0.1.2)
eth2: My internal network (10.0.2.1/24)

Simple source routing:
/sbin/ip rule add from 10.0.0.1 table TABLE1
/sbin/ip route add 10.0.0.0/29 dev eth0 src 10.0.0.1 table TABLE1
/sbin/ip route add default via 10.0.0.2 table TABLE1
/sbin/route add default gw 10.0.0.2 metric 0

/sbin/ip rule add from 10.0.1.1 table TABLE2
/sbin/ip route add 10.0.1.0/29 dev eth1 src 10.0.1.1 table TABLE2
/sbin/ip route add default via 10.0.1.2 table TABLE2
/sbin/route add default gw 10.0.1.2 metric 5

If I setup DNAT like:
-A PREROUTING -i eth0 -m tcp -p tcp --dport 25 -j DNAT --to 10.0.2.133
-A PREROUTING -i eth1 -m tcp -p tcp --dport 25 -j DNAT --to 10.0.2.133

It will only work If packet will come in from default routing device - eth0. If
I change metric of default gw on eth0 from 0 to 6 this DNAT rule will work only
from eth1 (lower metric). If I remove both default gw, DNAT rules are not
working at all.

I'noticed that DNAT rule is firing - counter on this rule is increasing, but
this SYN packet is never reaching FORWARD chains in filter table. It's just
disappears. There is no trace of this connection in ip_conntrack.

Marcin Z

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list