[Bug 591] New: NAT REDIRECT target does not always work

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Fri Apr 24 16:38:06 CEST 2009 

http://bugzilla.netfilter.org/show_bug.cgi?id=591

           Summary: NAT REDIRECT target does not always work
           Product: netfilter/iptables
           Version: unspecified
          Platform: i386
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: major
          Priority: P1
         Component: NAT
        AssignedTo: laforge at netfilter.org
        ReportedBy: lbocseg at yahoo.com.br


This happens quite a while and I never understood why.

> iptables -t nat -L PREROUTING -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  0.0.0.0/0           !10.183.4.2          tcp dpt:80 redir
ports 3128

This rule was created with:
iptables -t nat -A PREROUTING -d ! 10.183.4.2 -p tcp --dport www -j REDIRECT
--to-port 3128

For loggin purposes:
iptables -N droplog
iptables -A droplog -j ULOG --ulog-prefix Dropado --ulog-nlgroup 6

After the firewall rules, there is a final one:
iptables -A FORWARD -j droplog

Transparent proxy is working most of the time, but sometimes this shows on log:
Apr 24 10:18:10 proxy: Dropado IN=eth0 OUT=eth1 SRC=10.183.4.37
DST=200.181.75.130 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=53281 DF PROTO=TCP
SPT=49771 DPT=80 WINDOW=65535 RES=0x00 ACK RST URGP=0

This should not happen. The package should have been redirect to port 3128 by
the the nat rules. The problem is that this happens ramdonly. Most of time the
redirection is handled correctly, but rarely some packets are not redirect.
That is why it is difficult to debug what is happening. What can I do?

My kernel version is 2.6.28.3 compiled from v2.6.28 git tag with patch applied
to 2.6.28.3. It also happened with debian kernel package and with v2.6.28 with
no patch.

I'm not sure if it is platform specific or OS specific or iptables userspace
specific, so please forgive any wrongly filled field. I cannot test in other
conditions because it is not always reproducible.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list