Messages in log with SNAT target

Sietse van Zanen sietse at wizdom.nu
Mon Jul 24 12:15:13 CEST 2006


This means your windows machine does not the use ICMP redirects your firewall sends them. This is only cosmetical in your case. The mesasges are there because both of your networks are on the same physical interface.
 
Split this up and use two different physical interfaces. It is also not a recommended situation you are using.
 
-Sietse

________________________________

From: netfilter-bounces at lists.netfilter.org on behalf of Anssi Hannula
Sent: Mon 24-Jul-06 11:17
To: netfilter at lists.netfilter.org
Subject: Messages in log with SNAT target



Hi!

I've been using this kind of configuration on my Linux router for a few
years:

eth0    80.223.77.223, public internet ip
eth0:0  10.0.0.1, private network ip

IP forwarding enabled.

And a rule for iptables:
-A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
SNAT --to-source 80.223.77.223

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     10     0        0 eth0
80.223.64.0     0.0.0.0         255.255.240.0   U     10     0        0 eth0
0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0        0 eth0


However, I get lots of this kind of messages in the dmesg while routing:
host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 68.219.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 193.88.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 80.81.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 80.81.xxx.xxx to 80.223.64.1.

10.0.0.4 is a Windows machine in the private network set to use 10.0.0.1
(router) as a gateway. 80.223.64.1 is the ISP gateway. The third ip
number in the log message is the ip number of a server, to which the
10.0.0.4 is connected.

Note that the routing itself works just fine, there is just this log
message flood.

Please advise.

--
Anssi Hannula







More information about the netfilter mailing list