URGENT problem with phantom dropped packets
Posted: 19 Jun 2014, 21:52
Hi
I'm having a bit of an issue. I have setup a KVM VPS on my CentOS 6.5 which has routed networking.
I have a DNAT rule in csfpre file which as traffic comes in (PREROUTING), the external IP is changed to the local IP. As the traffic traverses the iptables chain, it seems to be dropped (not rejected) somewhere in the FILTER FORWARD table. This is not being logged in /var/log/messages.
If I take CSF down, and run csfpre on its own, the routing works fine as expected. As soon as I bring CSF up, it stops working.
The contents of csfpre file are as follows:
Somewhere, CSF is adding a rule after this lot which is causing it to stop. Attached is iptables-save output after CSF has started, and csf.conf. No csf.blocklists are being used. csf is already at the latest version: v7.03 Any urgent help will be awesome.
I'm having a bit of an issue. I have setup a KVM VPS on my CentOS 6.5 which has routed networking.
I have a DNAT rule in csfpre file which as traffic comes in (PREROUTING), the external IP is changed to the local IP. As the traffic traverses the iptables chain, it seems to be dropped (not rejected) somewhere in the FILTER FORWARD table. This is not being logged in /var/log/messages.
If I take CSF down, and run csfpre on its own, the routing works fine as expected. As soon as I bring CSF up, it stops working.
The contents of csfpre file are as follows:
Code: Select all
iptables -t nat -I PREROUTING 1 -d [EXTERNAL IP MASKED]/24 -p tcp -m tcp -j DNAT --to-destination 192.168.123.2
iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
iptables -t nat -A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
iptables -A FORWARD -d 192.168.123.0/24 -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.123.0/24 -i virbr1 -j ACCEPT
iptables -A FORWARD -i virbr1 -o virbr1 -j ACCEPT
iptables -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachableSomewhere, CSF is adding a rule after this lot which is causing it to stop. Attached is iptables-save output after CSF has started, and csf.conf. No csf.blocklists are being used. csf is already at the latest version: v7.03 Any urgent help will be awesome.
pastebin. com/8FK5RDmH
pastebin. com/t3jBaq6u