[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Mon Mar 5 19:05:30 CET 2007


https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From kaber at trash.net  2007-03-05 19:05 MET -------
DNAT only works on packets that connection tracking regards as valid, so the
most likely reason is that TCP window tracking for some reason thinks they are
not (retransmits, ...).

You can try:

a) echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid

to log these packets and the reason why conntrack thinks they're invalid, or

b) iptables -t mangle -A PREROUTING -m state --state INVALID -j DROP

to drop them.

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You reported the bug, or are watching the reporter.



More information about the netfilter-buglog mailing list