Ubuntu
linux-source-2.6.20 package

Iptables or Kernel BUG

Bug #30051 reported by UbuPetr
14
Affects Status Importance Assigned to Milestone
linux-source-2.6.20 (Ubuntu)
Invalid
Medium
Unassigned

Bug Description

Package: iptables
Version: 1.3.x

or

Package: linux-image-2.6, linux-image-2.4
Version: all versions

After start Forwarding through SNAT or MASQUERADE and the stop SNAT or MASQUERADE you must unload end load again IPTables and NAT modules, otherwise Forwarding will not work! Even further <search.py?lg=en_cz&wd=even%20further> if you Flush NAT IPTables, you must echo 0 > ip_forward before unload IPTables and NAT modules!

Demontration:
I disovered partial solution:

Operating sequence:
---disappear further hell things---
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -t mangle -F
iptables -t nat -F
iptables -F
reboot

---switch on - choose a) or b)---
a) iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.4 -j SNAT --to-source 10.10.2.6
b) iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s 192.168.2.4
echo "1" > /proc/sys/net/ipv4/ip_forward

Listen the base of the problem. If wanna do with iptable_nat another things, we must always switch off and switch on again, it will not proof itself! Do you know, that is bug in kernel or iptables?

If we switch on SNAT:
---switch off iptables---
iptables -t nat -D POSTROUTING -o eth0 -s 192.168.2.4 -j SNAT --to-source 10.10.2.6
modprobe -r iptable_nat iptable_filter

---switch on iptables---
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.4 -j SNAT --to-source 10.10.2.6

If we switch on MASQUERADE:
---switch off iptables---
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE -s 192.168.2.4
modprobe -r ipt_MASQUERADE iptable_nat iptable_filter

---switch on iptables---
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s 192.168.2.4

If we switch on SNAT and wanna use "iptables -t nat -F":
---switch off iptables---
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F
modprobe -r iptable_nat iptable_filter

---switch on iptables---
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.4 -j SNAT --to-source 10.10.2.6
echo "1" > /proc/sys/net/ipv4/ip_forward

If we switch on MASQUERADE and wanna use "iptables -t nat -F":
---switch off iptables---
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -F
modprobe -r ipt_MASQUERADE iptable_nat iptable_filter

---switch on iptables---
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s 192.168.2.4
echo "1" > /proc/sys/net/ipv4/ip_forward

This is the important thing, if we use "iptables -t nat -F", we must do "echo "0" > /proc/sys/net/ipv4/ip_forward". If missed some step from this operating sequence or failed the order of procedure this operating sequence, forwarding evidently will not working anymore.

My PC:
CPU: P4 Prescott 2,66 GHz (533 FSB)
MB: FIC P4M-800M/T2 (Via PT800CE)
Memory: 1GB DDR 400 MHz single channel (2 x 512MB)
eth0: Realtek 8100C = RTL-8139/8139C/8139C+ (rev 10)
eth1: Edimax EN-9150TXL = VT6105 [Rhine-III] (rev 8b)

Affected Distros: Ubuntu/Kubuntu 5.10 (The Breezy Badger), Debian Etch/Sid and maybe more
Affected Kernels: 2.4.x, 2.6.x

Your's Sincerely, Petr Novák
<email address hidden>

PS: Excuse me for my bad english. (http://groups.google.com/group/cz.comp.linux/browse_thread/thread/4013e2f5b22aeb26/517f96af44bae92b?hl=cs#517f96af44bae92b)

Revision history for this message
Simon Law (sfllaw) wrote :

Petr,

Does this still happen with the recent beta of Dapper?
This is not normal behaviour for the netfilter modules.

Thanks.

Changed in linux-source-2.6.15:
status: Unconfirmed → Needs Info
Revision history for this message
UbuPetr (ubu-petr) wrote :

Hello Simon,
excuse me for long delay. Same behaviour is on latest Feisty Fawn. Luckily my solution reported above still works.

Brian Murray (brian-murray)
Changed in linux-source-2.6.15:
assignee: nobody → ubuntu-kernel-team
status: Needs Info → Confirmed
Revision history for this message
Soren Hansen (soren) wrote :

Could you please restate the steps to reproduce this? Please just focus on *one* use-case at a time. I find that the original bug report seems to mix two different ways to reproduce things, which confuses me a lot.

Assume you've just booted the system (so the iptables are clear), and then please tell me the exact commands you enter and explain when it does something you think is wrong.

Changed in linux-source-2.6.20:
status: Confirmed → Needs Info
Revision history for this message
Soren Hansen (soren) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in linux-source-2.6.20:
status: Incomplete → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote : Kernel team bugs

Per a decision made by the Ubuntu Kernel Team, bugs will longer be assigned to the ubuntu-kernel-team in Launchpad as part of the bug triage process. The ubuntu-kernel-team is being unassigned from this bug report. Refer to https://wiki.ubuntu.com/KernelTeamBugPolicies for more information. Thanks.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.