[KLUG Members] weird iptables problem. NAT kills my forwarding
before I can make a rule.
John Pesce
pescej at sprl.db.erau.edu
Mon Oct 11 17:56:03 EDT 2004
I'm seeing a very weird problem with multicast traffic and iptables NAT.
I'm running Suse 9.1 Pro on a box with three NICs used for packet
forwarding between three LANs.
If the iptable_nat module gets loaded, even if I just type 'iptables -L
-v -t nat' all my multicast traffic stops forwarding.
I can't find anything in any docs about this.
First off, my routes are working fine and I'm running pimd to forward
multicast traffic between the three LANs just fine. As long as
iptable_nat doesn't get loaded.
My three interfaces are:
eth0 Link encap:Ethernet HWaddr 00:A0:C9:8E:C3:F7
inet addr:192.168.2.4 Bcast:192.168.2.255 Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr 00:A0:C9:8E:CD:65
inet addr:10.7.35.2 Bcast:10.7.35.255 Mask:255.255.255.0
eth2 Link encap:Ethernet HWaddr 00:06:5B:1D:AB:41
inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0
route returns:
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.3.0 * 255.255.255.0 U 0 0 0 eth2
192.168.2.0 * 255.255.255.0 U 0 0 0 eth0
10.7.32.0 10.7.35.1 255.255.255.0 UG 0 0 0 eth1
10.7.33.0 10.7.35.1 255.255.255.0 UG 0 0 0 eth1
10.7.35.0 * 255.255.255.0 U 0 0 0 eth1
link-local * 255.255.0.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
netstat -g returns:
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 ALL-SYSTEMS.MCAST.NET
eth0 1 ALL-ROUTERS.MCAST.NET
eth0 1 PIM-ROUTERS.MCAST.NET
eth0 1 ALL-SYSTEMS.MCAST.NET
eth1 1 ALL-ROUTERS.MCAST.NET
eth1 1 PIM-ROUTERS.MCAST.NET
eth1 1 ALL-SYSTEMS.MCAST.NET
eth2 1 ALL-ROUTERS.MCAST.NET
eth2 1 PIM-ROUTERS.MCAST.NET
eth2 1 ALL-SYSTEMS.MCAST.NET
if I type 'iptables -L -v' I get:
Chain INPUT (policy ACCEPT 1936 packets, 145K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 766K packets, 82M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1165 packets, 97111 bytes)
pkts bytes target prot opt in out source destination
At this point everything works fine.
rts:~ # lsmod | grep ip
iptable_filter 2944 0
ip_tables 17280 2 iptable_nat,iptable_filter
Now, the problem is that the 10.7.32.0 and 10.7.33.0 LANs exist on the
other side of a router on the 10.7.35.0 LAN and I don't have control
over them. They see all the multicast traffic from the 10.7.35.0 LAN
just fine, but they don't see multicast traffic from the 192.168.2.0 and
192.168.3.0 LANs, even though it is forwarded to the 10.7.35.0 LAN
because that other router has an access control list that only accepts
traffic from 10.7.0.0 addresses.
I would like to SNAT all traffic leaving my 10.7.35.2 NIC to appear to
come from 10.7.35.2. The problem is before I can even make a SNAT rule
all my multicast traffic routing stops cold when the iptable_net module
gets loaded.
if I type 'iptables -L -v -t nat' I get:
Chain PREROUTING (policy ACCEPT 270 packets, 21466 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 4 packets, 298 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
>From what I understand, the above output should indicate that no NATting
is going on and no packets should be messed with.
So What is going on??????
Help!!! Please.....
More information about the Members
mailing list