SNAT seems to "miss" some packets

To:	netfilter@lists.netfilter.org
Subject:	SNAT seems to "miss" some packets
From:	Fabio Muzzi <liste@kurgan.org>
Date:	Mon, 29 Jan 2007 14:12:38 +0100
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Reply-to:	Fabio Muzzi <liste@kurgan.org>
Sender:	netfilter-bounces@lists.netfilter.org

Hi,  this is my first post to this list. I have tried goggling, but I have
failed, and i think now it's time to ask for help.

I  am  running  a  firewall  with Debian Linux (kernel 2.6.15) and am I am
expriencing a strange behavior in a simple SNAT rule.

I  was  running  a  dual gateway equal cost multipath configuration, but I
have  reverted to a single gateway configuration to be sure that the issue
was not with the dual gateway config.

eth2  is  my  WAN  interface,  with  address  217.221.234.74.  My  lan  is
10.0.0.0/16, and I have a SNAT rule that says:

iptables -t nat -A POSTROUTING -o eth2  -j SNAT -s 10.0.0.0/16 --to-source 
217.221.234.74

Running  a  simple  "ethereal -i eth2 'not host 217.221.234.74'" I can see
that  sometimes some packets go through WAN interface without being SNATed
by netfilter.

Tipically  I  can  see  a  lot of correctly SNATed traffic, and once every
minute  or so, some packets that seem to belong to an existent connection,
that  go  through  with  the  original  "from" address (in the 10.0.0.0/16
network)

this is an example taken from tethereal:

5062.581579    10.0.0.51 -> 207.68.178.134 TCP 1069 > www [FIN, ACK] Seq=0 
Ack=0 Win=64526 Len=0
5062.581602    10.0.0.51 -> 207.68.178.134 TCP 1070 > www [FIN, ACK] Seq=0 
Ack=0 Win=65535 Len=0
5063.687959    10.0.0.51 -> 207.68.178.134 TCP [TCP Retransmission] 1070 > www 
[FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0
5064.016036    10.0.0.51 -> 207.68.178.134 TCP [TCP Retransmission] 1069 > www 
[FIN, ACK] Seq=0 Ack=0 Win=64526 Len=0
5066.094266    10.0.0.51 -> 207.68.178.134 TCP [TCP Retransmission] 1070 > www 
[FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0
5067.078602    10.0.0.51 -> 207.68.178.134 TCP [TCP Retransmission] 1069 > www 
[FIN, ACK] Seq=0 Ack=0 Win=64526 Len=0
5070.906759    10.0.0.51 -> 207.68.178.134 TCP [TCP Retransmission] 1070 > www 
[FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0
5071.806521    10.0.0.51 -> 195.113.232.83 TCP 1065 > www [RST, ACK] Seq=0 
Ack=0 Win=0 Len=0
5071.806642    10.0.0.51 -> 195.113.232.83 TCP 1067 > www [RST, ACK] Seq=0 
Ack=0 Win=0 Len=0
5071.806657    10.0.0.51 -> 195.113.232.83 TCP 1066 > www [RST, ACK] Seq=0 
Ack=0 Win=0 Len=0
5071.806765    10.0.0.51 -> 195.113.232.83 TCP 1068 > www [RST, ACK] Seq=0 
Ack=0 Win=0 Len=0
5073.094312    10.0.0.51 -> 207.68.178.134 TCP [TCP Retransmission] 1069 > www 
[FIN, ACK] Seq=0 Ack=0 Win=64526 Len=0
5077.923046    10.0.0.12 -> 207.68.178.239 TCP [TCP Retransmission] remoteping 
> www [FIN, ACK] Seq=0 Ack=0 Win=64294 Le  n=0
5080.531986    10.0.0.51 -> 207.68.178.134 TCP [TCP Retransmission] 1070 > www 
[FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0
5085.125717    10.0.0.51 -> 207.68.178.134 TCP [TCP Retransmission] 1069 > www 
[FIN, ACK] Seq=0 Ack=0 Win=64526 Len=0
5099.782192    10.0.0.51 -> 207.68.178.134 TCP [TCP Retransmission] 1070 > www 
[FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0
5109.188539    10.0.0.51 -> 207.68.178.134 TCP [TCP Retransmission] 1069 > www 
[FIN, ACK] Seq=0 Ack=0 Win=64526 Len=0
5116.244053    10.0.0.12 -> 207.68.178.239 TCP [TCP Retransmission] remoteping 
> www [FIN, ACK] Seq=0 Ack=0 Win=64294 Le  n=0


Is  this  a known bug of my kernel/netfilter version? Is there something I
can do to fix it?

Thanks.



-- 

  Fabio "Kurgan" Muzzi

<Prev in Thread]	Current Thread	[Next in Thread>
SNAT seems to "miss" some packets, Fabio Muzzi <= Re: SNAT seems to "miss" some packets, Jan Engelhardt Re: SNAT seems to "miss" some packets, Fabio Muzzi Re: SNAT seems to "miss" some packets, Pascal Hambourg Re: SNAT seems to "miss" some packets, Fabio Muzzi

Previous by Date:	Re: Dropped fin acks (iptables + lvs), Pascal Hambourg
Next by Date:	Re: SNAT seems to "miss" some packets, Jan Engelhardt
Previous by Thread:	port forwarding through localhost, Andy B.
Next by Thread:	Re: SNAT seems to "miss" some packets, Jan Engelhardt
Indexes:	[Date] [Thread] [Top] [All Lists]