[Bug 552] New: Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!

Sun Mar 4 21:23:24 CET 2007

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552

           Summary: Strange DNAT behaviour... packet don't pass to
                    PREROUTING and go directly in INPUT !!
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: i386
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: NAT
        AssignedTo: laforge at netfilter.org
        ReportedBy: cbettero at ciditech.it

Hi,

i'm going mad in trying to understand this behaviour:

I have a linux box, with two lan's: eth0 (internal LAN) and eth1 (Internet).
This box is configured as a firewall, using iptables (1.3.7). My kernel is 2.6.20.1.

I do SNAT for the lan clients to the Internet, and all is working fine; but I
have big problems with DNAT: I have these lines:
....
.....
iptables -A PREROUTING -t nat -i eth1 -d $WANIP -p tcp --dport 80 -j DNAT --to
10.0.0.2:80
iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
.....
.....
iptables -A INPUT -i eth1 -j DROP-AND-LOG
.....

Ok, a simple and classical DNAT to an internal web server.

Now, the problem: the majority of packets get correctly in the PREROUTING chain
and to my web server, but SOMETIMES the packets "miss" the prerouting and fall
into the INPUT chain, getting logged and dropped ! I analyzed and noticed that
they are all ACK packets, but they are correct in all aspects (IN=ETH1 DST=WANIP
DPT=80); 
what can be the problem ?

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.