Bug 53356 - iptables -j DNAT does not work in kernel 2.4.3-12
Summary: iptables -j DNAT does not work in kernel 2.4.3-12
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kernel
Version: 7.1
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Arjan van de Ven
QA Contact: Brock Organ
Depends On:
TreeView+ depends on / blocked
Reported: 2001-09-07 09:30 UTC by Klaus Muth
Modified: 2007-04-18 16:36 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2001-09-07 09:30:52 UTC

Attachments (Terms of Use)

Description Klaus Muth 2001-09-07 09:30:48 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [de] (X11; U; Linux 2.4.2-2 i686; Nav)

Description of problem:
After reading about the ip_conntrack_ftp exploit I tried to get a new
kernel. I compiled the kernel with the same config, but now the port
forwarding rules do not work: the iptables commands are accepted, the
packets are counted, but there is no forwarding ;/. I dont't know whether
the packets are dropped or whatever.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure a firewall with some port forwarding rules
2. Try until all works fine
3. Upgrade the 2.4.2-2 kernel to a 2.4.3-12 kernel
4. The forwarded ports do not work

Additional info:

Chain PREROUTING (policy ACCEPT 65 packets, 11672 bytes)
 pkts bytes target     prot opt in     out     source              
    0     0 DNAT       tcp  --  any    any     anywhere      tcp dpt:ftp-data to:
    1    60 DNAT       tcp  --  any    any     anywhere         tcp dpt:ftp to:
    0     0 DNAT       tcp  --  any    any     anywhere         tcp dpt:http to:
    2   120 DNAT       tcp  --  any    any     anywhere         tcp dpt:2367 to:

Packets counted but not forwarded ;/

Comment 1 Klaus Muth 2001-09-20 13:54:01 UTC
This is a UTS-Bug (User too stupid). Portforwarding did not work, because
the server behind the firewall had no route back for the test (somebody
rebooted it).

Note You need to log in before you can comment on or make changes to this bug.