[Bug 1129] New: iptables outgoing SNAT works for a while then stops working completely for a while
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Fri Mar 10 16:32:48 CET 2017
https://bugzilla.netfilter.org/show_bug.cgi?id=1129
Bug ID: 1129
Summary: iptables outgoing SNAT works for a while then stops
working completely for a while
Product: netfilter/iptables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ip_conntrack
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: timclarke147 at gmail.com
I have updated to Deabian Jessie and have a firewall that does incoming port
redirection (which works reliably) and outgoing masquerading (SNAT) from
internal IP 192.168.123.0/24 via 62.232.232.211 outside world.
OUtgoing source-nat works fine for a while (overnight) and then during the day
stops working for a few hours, then works again for some time, then stops
working again etc
When NOT working, tcpdump shows the following:
icmp request from 192.168.123.203 to 88.208.252.180 is logged
icmp reply from 88.208.252.180 is logged
icmp reply to 62.232.25.211 is logged
NO icmp reply is forwarded to 192.168.123.203
It would appear that the ping is being SNAT'ed outwards ok but the connection
is not being preoprly tracked to allow the returning reply packet to be
redirected back to 192.168.123.203
The iptables config is identical to that used an earlier (wheezy) debian
and I have never had any problems with that earlier version.
I note that the new machine has about 2.5% dropped packets on both interfaces,
but this may be a red herring!
tcpdumps and iptables config etc can be supplied on request
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170310/28b04cb7/attachment.html>
More information about the netfilter-buglog
mailing list