BRidge Problem with DNAT

Hi

I've gat a problem that's outside my knowledge !
so I describe it to you :

I've get a linux gateway with 3 network iface : eth1 to the ethernet
adsl modem, eth0 to my network and ath0 is a Wireless card used as an
Access Point.

because I use linux-igd, I decide to create a bridge between the two LAN
iface in order to only deal with 2 iface !

so br0 is a bridge between eth0 and ath0.

I create iptables rules using br0 and eth1. those rules are simple :

Chain PREROUTING (policy ACCEPT)
target prot opt in out source destination
DROP all -- eth1 * 0.0.0.0/0 192.168.0.0/24
DROP all -- eth1 * 192.168.0.0/24 0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target prot opt in out source destination
MASQUERADE all -- * eth1 192.168.0.0/24 0.0.0.0/0

Chain INPUT (policy DROP)
target prot opt in out source destination
INETIN all -- eth1 * 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- * * 192.168.0.0/24 0.0.0.0/0
ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- br0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67

INETIN is my input filter for icmp and services (smtp http ...)
(unusefull to show it)

Chain FORWARD (policy DROP)
target prot opt in out source destination
ACCEPT all -- eth1 br0 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- br0 eth1 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- !eth1 !eth1 192.168.0.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt in out source destination
INETOUT all -- * eth1 0.0.0.0/0 0.0.0.0/0

INETOUT is my output filter for services

At this point everything work fine.

When using linux-igd, rules are adding to PREROUTING with target DNAT :

target prot opt in out source destination
DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5662
to:192.168.0.2:5662
DNAT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5672
to:192.168.0.2:5672

so everything look nice! but if a dump packet on eth1, I can see this :

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
17:24:06.232072 IP 209.67.220.58.42895 > <my public ip>.5662: S
2699075760:2699075760(0) win 5840 <mss 1460,sackOK,timestamp 646790852
0,nop,wscale 0>
17:24:06.232757 IP 192.168.0.2.5662 > 209.67.220.58.42895: S
498211568:498211568(0) ack 2699075761 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:24:09.047839 IP 192.168.0.2.5662 > 209.67.220.58.42895: S
498211568:498211568(0) ack 2699075761 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:24:09.224100 IP 209.67.220.58.42895 > <my public ip>.5662: S
2699075760:2699075760(0) win 5840 <mss 1460,sackOK,timestamp 646791152
0,nop,wscale 0>
17:24:09.224407 IP <my public ip>.5662 > 209.67.220.58.42895: . ack
2699075761 win 65535 <nop,nop,timestamp 243533 646790852>
17:24:15.032186 IP 192.168.0.2.5662 > 209.67.220.58.42895: S
498211568:498211568(0) ack 2699075761 win 65535 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK>
17:24:15.222856 IP 209.67.220.58.42895 > <my public ip>.5662: S
2699075760:2699075760(0) win 5840 <mss 1460,sackOK,timestamp 646791752
0,nop,wscale 0>

we can see that packet from LAN to NET are not NATing !!!
please help I'don't understand !

Buzzer

buzzer <buzzer_@t_free_point_fr> wrote:
> I've gat a problem that's outside my knowledge !

> we can see that packet from LAN to NET are not NATing !!!
> please help I'don't understand !

DNAT/MASQ is broken on recent kernels. See my very recent posts on
exactly this subject - including a pointer to a kernel patch

Chris

chris-(E-Mail Removed) a écrit :
> buzzer <buzzer_@t_free_point_fr> wrote:
>
>>I've gat a problem that's outside my knowledge !
>
>
>>we can see that packet from LAN to NET are not NATing !!!
>>please help I'don't understand !
>
>
> DNAT/MASQ is broken on recent kernels. See my very recent posts on
> exactly this subject - including a pointer to a kernel patch
>
> Chris

you're right !

thank's a lot ! I go back to 2.6.9 (because of fedora) and all is fine !

regards

buzzer