Sample Header Ad - 728x90

Why didn't iptables apply the sames rules?

0 votes
1 answer
39 views
networking iptables netfilter strongswan
For some reason, my network encountered "Destination unreachable no route" error, this error happened periodicly, later I found that was a bug of my program. But during that time, I found a werid problem: if I started a ping when network worked, then ping could work continuously even later the network had route problem. I use iptables trace and found those iptables rules were applied when the ping process were working: 
raw:PREROUTING:policy:2
nat:PREROUTING:policy:1
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
nat:POSTROUTING:rule:1
nat:FABEDGE-NAT-OUTGOING:rule:2
nat:POSTROUTING:policy:2
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
As you can see, when the first ICMP6 packet is handled, those rules are applied: 
raw:PREROUTING:policy:2
nat:PREROUTING:policy:1
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
nat:POSTROUTING:rule:1
nat:FABEDGE-NAT-OUTGOING:rule:2
nat:POSTROUTING:policy:2
the following ICMP6 packets were handled with different rules: 
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
It looks like all nat tables rules are skipped, I don't known why this happened. Shouldn't each ICMP6 packet go through the same rules? I should metion that these packets will pass through a VPN tunnel created by a strongswan process which I don't think will affect the iptables. These are my iptables rules: 
ip6tables -t raw -S
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -s fd96:ee88:2:2::/64 -j TRACE
[root@edge1 ~]# ip6tables  -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FABEDGE-FORWARD
-A FORWARD -j FABEDGE-FORWARD
-A FABEDGE-FORWARD -s fd96:ee88:2:2::/64 -j ACCEPT
-A FABEDGE-FORWARD -d fd96:ee88:2:2::/64 -j ACCEPT
ip6tables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N FABEDGE-NAT-OUTGOING
-A POSTROUTING -j FABEDGE-NAT-OUTGOING
-A FABEDGE-NAT-OUTGOING -m set --match-set FABEDGE-LOOP-BACK6 dst,dst,src -j MASQUERADE
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -m set --match-set FABEDGE-PEER-CIDR6 dst -j RETURN
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -d fd96:ee88:2:2::/64 -j RETURN
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -j MASQUERADE
More detailed iptables trace: 
[505397.327144] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327183] TRACE: nat:PREROUTING:policy:1 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327207] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327215] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327223] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327241] TRACE: nat:FABEDGE-NAT-OUTGOING:rule:2 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327246] TRACE: nat:POSTROUTING:policy:2 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505398.328257] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505398.328290] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505398.328299] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505399.329386] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505399.329431] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505399.329440] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505400.329280] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4
[505400.329315] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4
[505400.329324] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4
Asked by Jianbo Yan (53 rep)
Sep 14, 2022, 06:41 AM
Last activity: Sep 14, 2022, 07:34 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "networking"
More questions tagged "iptables"
More questions tagged "netfilter"
Footer Ad - 728x90