Thanks for analyzing it. This is not normal behaviour of netfilter right ? Where can I ask about netfilter issue ?
Thx. -----Original Message----- From: Tom Eastep [mailto:[email protected]] Sent: Saturday, September 14, 2013 2:53 AM To: [email protected] Subject: Re: [Shorewall-users] routeback to same interface On 9/13/2013 2:46 PM, İlker Aktuna wrote: > Hi Guys, > > I really help. I understand that this might not be a problem of > Shorewall (yet why not) Let's look at this: Here's the INPUT chain: Chain PREROUTING (policy ACCEPT 89 packets, 5619 bytes) pkts bytes target prot opt in out source destination 1960 210K dnat all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dnat (1 references) pkts bytes target prot opt in out source destination 336 30878 wan_dnat all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 508 54430 wan_dnat all -- ppp1 * 0.0.0.0/0 0.0.0.0/0 0 0 wan_dnat all -- tun0 * 0.0.0.0/0 0.0.0.0/0 1116 125K lan_dnat all -- br0 * 0.0.0.0/0 0.0.0.0/0 <========= Chain lan_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9306 to:192.168.254.21:80 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9307 to:192.168.254.22:80 6 312 ~log0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp dpt:9309 <====== 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9308 to:192.168.254.23:80 Chain ~log0 (1 references) pkts bytes target prot opt in out source destination 6 312 ULOG all -- * * 0.0.0.0/0 0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix "Shorewall:lan_dnat:DNAT:" queue_threshold 1 <========== 6 312 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 to:192.168.254.3:9309 <======== Looking at the rules marked with <====== together with the log messages being generated, we know that 6 packets directed to TCP port 9309 were redirected to IP address 192.168.254.3 Now let's look at the filter table: Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 82850 62M accounting all -- * * 0.0.0.0/0 0.0.0.0/0 1365 71260 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU 3578 452K ppp0_fwd all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 8067 819K ppp1_fwd all -- ppp1 * 0.0.0.0/0 0.0.0.0/0 0 0 tun0_fwd all -- tun0 * 0.0.0.0/0 0.0.0.0/0 71205 60M lan_frwd all -- br0 * 0.0.0.0/0 0.0.0.0/0 <========= 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 Reject all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:" 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 [goto] Chain lan_frwd (1 references) pkts bytes target prot opt in out source destination 1946 311K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW 4234 944K lan2wan all -- * ppp0 0.0.0.0/0 0.0.0.0/0 10783 2861K lan2wan all -- * ppp1 0.0.0.0/0 0.0.0.0/0 0 0 lan2wan all -- * tun0 0.0.0.0/0 0.0.0.0/0 56188 57M lan2lan all -- * br0 0.0.0.0/0 0.0.0.0/0 <======== 0 0 lan2lanx all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 lan2lanx all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain lan2lan (1 references) pkts bytes target prot opt in out source destination 1 60 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 tcpmss match 1452:65535 TCPMSS set 1452 1 60 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 tcpmss match 1452:65535 TCPMSS set 1452 56160 57M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.254.21 tcp dpt:80 ctorigdstport 9306 0 0 ACCEPT tcp -- * * 0.0.0.0/0 <==== 192.168.254.22 tcp dpt:80 ctorigdstport 9307 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.254.3 tcp dpt:9309 ctorigdstport 9309 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.254.23 tcp dpt:80 ctorigdstport 9308 28 6612 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 If Netfilter had correctly rerouted the packet, it would have matched the last marked rule. It didn't; from that I conclude that Netfilter is not doing the right thing in this case. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
