[Bug 552] Strange DNAT behaviour... packet don't pass to PREROUTING and go directly in INPUT !!

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Mon Mar 5 19:24:37 CET 2007


https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=552





------- Additional Comments From cbettero at ciditech.it  2007-03-05 19:24 MET -------
(In reply to comment #3)
> DNAT only works on packets that connection tracking regards as valid, so the
> most likely reason is that TCP window tracking for some reason thinks they are
> not (retransmits, ...).
> 
> You can try:
> 
> a) echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
> 
> to log these packets and the reason why conntrack thinks they're invalid, or
> 
> b) iptables -t mangle -A PREROUTING -m state --state INVALID -j DROP
> 
> to drop them.

Hi,

I just do as you told... no invalid packets at all (nothing on console after
your echo cmd, and the counter is still 0)

But my packets randomly continue to hit the INPUT chain :

INPUT CHAIN-> IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00
SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14445 DF
PROTO=TCP SPT=3486 DPT=80 WINDOW=65520 RES=0x00 ACK URGP=0
INPUT CHAIN-> IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00
SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14446 DF
PROTO=TCP SPT=3486 DPT=80 WINDOW=65520 RES=0x00 ACK URGP=0
INPUT CHAIN-> IN=eth1 OUT= MAC=00:40:f4:b8:f1:a9:00:0e:84:d7:3c:a1:08:00
SRC=62.11.25.241 DST=--MYWANIP-- LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14447 DF
PROTO=TCP SPT=3486 DPT=80 WINDOW=65520 RES=0x00 ACK URGP=0

If I try again (say, hitting RELOAD on remote browser) sometimes I can see the
entire page (a simple login page), sometimes only a part, sometimes nothing at
all...

thanks for the help...

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the netfilter-buglog mailing list