[Bug 850] New: DNAT applied even after deleting the IP Tables DNAT Rule

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Sep 10 08:11:27 CEST 2013 

https://bugzilla.netfilter.org/show_bug.cgi?id=850

           Summary: DNAT applied even after deleting the IP Tables DNAT
                    Rule
           Product: iptables
           Version: 1.4.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: b.dathraj at gmail.com
   Estimated Hours: 0.0


Hi,

I see an issue with DNAT Rules of IP Tables. Even after the Rule is deleted the
DNAT happens. Below is the description for the same.


Topology:
---------
SD-1-eth1 --------- ge6-DUT-ge46 ------- eth1-SD-2

DUT:
-----
ge6: IP - 2.2.2.5 (INISDE Interface)
ge46: IP - 192.168.10.5 (OUTSIDE Interface)

SD-1:
-----
eth1: 2.2.2.2
route: 192.168.10.0/24 via 2.2.2.5

SD-2:
-----
eth1: 192.168.10.2
route: 2.2.2.0/24 via 192.168.10.5

NAT Configuration:
------------------
"iptables -t nat -A POSTROUTING -j SNAT -s 2.2.2.2/32 --to-source
192.168.10.4-192.168.10.4 -o ge46"

"iptables -t nat -A PREROUTING -j DNAT -d 192.168.10.4/32 --to-destination
2.2.2.2-2.2.2.2 -i ge6"

As  per above rules Source address of the packets coming from SD-1 is changed
to 192.168.10.4 and the Destination address of the packets coming from SD-2 is
changed to 2.2.2.2

We have tested this using SSH session from SD-1 to SD-2. Till this point
everything (SNAT & DNAT) is fine.

Issue:
------
Now we unconfigure DNAT rule using "iptables -t nat -D PREROUTING -j DNAT -d
192.168.10.4/32 --to-destination 2.2.2.2-2.2.2.2 -i ge6". Here the SSH session
should not establish as the DNAT rule is deleted. But we see that the
Destination address of the packets coming from SD-2 is changed from
192.168.10.4 to 2.2.2.2 from 192.168.10.4.  This happens only if the ARP entry
for "192.168.10.4" is present in DUT-2. If the ARP entry is cleared
manually/aged-out then the replies from SD-2 will not be aware of the
destination and there will be no session established.

Please let me know if we have any know issues on this or is it expected. Please
note that SNAT Rule is still present while only DNAT Rule is deleted.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the netfilter-buglog mailing list