Bug#350052: marked as done (Iptables or Kernel BUG)

Fri, 13 Feb 2009 15:55:37 -0800 

Your message dated Fri, 13 Feb 2009 18:51:59 -0500
with message-id <[email protected]>
and subject line Re: Bug#350052: (no subject)
has caused the Debian Bug report #350052,
regarding Iptables or Kernel BUG
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
350052: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=350052
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: iptables
Version: all versions

or

Package: linux-image-2.6
Version: all versions
After start Forwarding through SNAT or MASQUERADE and the stop SNAT or MASQUERADE you must unload end load again IPTables and NAT modules, otherwise Forwarding will not work! Even further <search.py?lg=en_cz&wd=even%20further> if you Flush NAT IPTables, you must echo 0 > ip_forward before unload IPTables and NAT modules! 

Demontration:
I disovered partial solution:

Operating sequence:
---disappear further hell things---
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -t mangle -F
iptables -t nat -F
iptables -F
reboot

---switch on - choose a) or b)---
a) iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.4 -j SNAT --to-source 10.10.2.6 
b) iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s 192.168.2.4
echo "1" > /proc/sys/net/ipv4/ip_forward
Listen the base of the problem. If wanna do with iptable_nat another things, we must always switch off and switch on again, it will not proof itself! Do you know, that is bug in kernel or iptables? 


If we switch on SNAT:
---switch off iptables---
iptables -t nat -D POSTROUTING -o eth0 -s 192.168.2.4 -j SNAT --to-source 10.10.2.6 
modprobe -r iptable_nat iptable_filter

---switch on iptables---
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.4 -j SNAT --to-source 10.10.2.6 


If we switch on MASQUERADE:
---switch off iptables---
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE -s 192.168.2.4
modprobe -r ipt_MASQUERADE iptable_nat iptable_filter

---switch on iptables---
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s 192.168.2.4


If we switch on SNAT and wanna use "iptables -t nat -F":
---switch off iptables---
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F
modprobe -r iptable_nat iptable_filter

---switch on iptables---
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.4 -j SNAT --to-source 10.10.2.6 
echo "1" > /proc/sys/net/ipv4/ip_forward


If we switch on MASQUERADE and wanna use "iptables -t nat -F":
---switch off iptables---
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F
modprobe -r ipt_MASQUERADE iptable_nat iptable_filter

---switch on iptables---
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s 192.168.2.4
echo "1" > /proc/sys/net/ipv4/ip_forward
This is the important thing, if we use "iptables -t nat -F", we must do "echo "0" > /proc/sys/net/ipv4/ip_forward". If missed some step from this operating sequence or failed the order of procedure this operating sequence, forwarding evidently will not working anymore. 


My PC:
CPU: P4 Prescott 2,66 GHz (533 FSB)
MB: FIC P4M-800M/T2 (Via PT800CE)
Memory: 1GB DDR 400 MHz single channel (2 x 512MB)
eth0: Realtek 8100C = RTL-8139/8139C/8139C+ (rev 10)
eth1: Edimax EN-9150TXL = VT6105 [Rhine-III] (rev 8b)

Your's Sincerely, Petr Novak
[email protected]
PS: Excuse me for my bad english. (http://groups.google.com/group/cz.comp.linux/browse_thread/thread/4013e2f5b22aeb26/517f96af44bae92b?hl=cs#517f96af44bae92b)

--- End Message ---
--- Begin Message --- 
On Fri, Feb 13, 2009 at 5:29 PM, Jan Engelhardt <[email protected]> wrote:
> The proper way to remove active NAT mappings is to use `conntrack -F`
> (package: conntrack-tools).
> It is not required to unload iptables.

Closed.

--- End Message ---

Reply via email to