[Bug 452] New: DNAT to internal network don't work with source routing and 2 uplinks

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Tue Feb 21 19:57:52 CET 2006


           Summary: DNAT to internal network don't work with source routing
                    and 2 uplinks
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: NAT
        AssignedTo: laforge at netfilter.org
        ReportedBy: mzurakowski-bin at data.pl

System: Debian Sarge
Kernel: 2.6.8-2-386 (from Debian)
Add-Paches: No

I have gateway with 3 interfaces:

   eth0   eth1
    |      |
  |    gw       |

eth0: Uplink to my ISP1 (, gw:
eth1: Uplink to my ISP2 (, gw:
eth2: My internal network (

Simple source routing:
/sbin/ip rule add from table TABLE1
/sbin/ip route add dev eth0 src table TABLE1
/sbin/ip route add default via table TABLE1
/sbin/route add default gw metric 0

/sbin/ip rule add from table TABLE2
/sbin/ip route add dev eth1 src table TABLE2
/sbin/ip route add default via table TABLE2
/sbin/route add default gw metric 5

If I setup DNAT like:
-A PREROUTING -i eth0 -m tcp -p tcp --dport 25 -j DNAT --to
-A PREROUTING -i eth1 -m tcp -p tcp --dport 25 -j DNAT --to

It will only work If packet will come in from default routing device - eth0. If
I change metric of default gw on eth0 from 0 to 6 this DNAT rule will work only
from eth1 (lower metric). If I remove both default gw, DNAT rules are not
working at all.

I'noticed that DNAT rule is firing - counter on this rule is increasing, but
this SYN packet is never reaching FORWARD chains in filter table. It's just
disappears. There is no trace of this connection in ip_conntrack.

Marcin Z

Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.

More information about the netfilter-buglog mailing list