Re: SNAT seems to "miss" some packets

To:	netfilter@lists.netfilter.org
Subject:	Re: SNAT seems to "miss" some packets
From:	Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date:	Mon, 29 Jan 2007 15:07:54 +0100
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
In-reply-to:	<1003211157.20070129141238@kurgan.org>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Organization:	Plouf !
References:	<1003211157.20070129141238@kurgan.org>
Sender:	netfilter-bounces@lists.netfilter.org
User-agent:	Mozilla Thunderbird 1.0.6 (Windows/20050716)

To:

netfilter@lists.netfilter.org

Subject:

Re: SNAT seems to "miss" some packets

From:

Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Date:

Mon, 29 Jan 2007 15:07:54 +0100

Delivered-to:

sp-com-lists@consult.net

Delivered-to:

netfilter-list1@securepoint.com

In-reply-to:

<1003211157.20070129141238@kurgan.org>

List-archive:

</pipermail/netfilter>

List-help:

<mailto:netfilter-request@lists.netfilter.org?subject=help>

List-id:

General discussion and user questions <netfilter.lists.netfilter.org>

List-post:

<mailto:netfilter@lists.netfilter.org>

List-subscribe:

<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>

List-unsubscribe:

<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>

Organization:

Plouf !

References:

<1003211157.20070129141238@kurgan.org>

Sender:

netfilter-bounces@lists.netfilter.org

User-agent:

Mozilla Thunderbird 1.0.6 (Windows/20050716)

Hello,

Fabio Muzzi a écrit :


I  am  running  a  firewall  with Debian Linux (kernel 2.6.15) and am I am
expriencing a strange behavior in a simple SNAT rule.

[...]

Running  a  simple  "ethereal -i eth2 'not host 217.221.234.74'" I can see
that  sometimes some packets go through WAN interface without being SNATed
by netfilter.

Maybe these packets are considered in the INVALID state by the Netfilterconnection tracking. Packets in the INVALID state bypass the statefulNAT processing. You may add a rule to log INVALID packets and comparethem with the tcpdump output :


iptables -I FORWARD -o eth2 -m state --state INVALID \
  -j LOG --log-prefix "FWD_INV "

Anyway there is no chance that another NAT rule may cause this, aspackets belonging or related to an established connection don't gothrough the nat chains.


Note :

This may be related to the thread "Dropped fin acks (iptables + lvs)"above, as in both cases most affected packets seem to be FIN/ACK andRST/ACK.

<Prev in Thread]	Current Thread	[Next in Thread>
SNAT seems to "miss" some packets, Fabio Muzzi Re: SNAT seems to "miss" some packets, Jan Engelhardt Re: SNAT seems to "miss" some packets, Fabio Muzzi Re: SNAT seems to "miss" some packets, Pascal Hambourg <= Re: SNAT seems to "miss" some packets, Fabio Muzzi

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: SNAT seems to "miss" some packets, Jan Engelhardt
Next by Date:	Re: SNAT seems to "miss" some packets, Fabio Muzzi
Previous by Thread:	Re: SNAT seems to "miss" some packets, Fabio Muzzi
Next by Thread:	Re: SNAT seems to "miss" some packets, Fabio Muzzi
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: SNAT seems to "miss" some packets, Jan Engelhardt

Next by Date:

Re: SNAT seems to "miss" some packets, Fabio Muzzi

Previous by Thread:

Re: SNAT seems to "miss" some packets, Fabio Muzzi

Next by Thread:

Re: SNAT seems to "miss" some packets, Fabio Muzzi

Indexes:

[Date] [Thread] [Top] [All Lists]