I am running EdgeOS (aka vyatta 6.3 aka debian) with 3.4.27. There are two DNAT port forwarding rules like this:
rule 1 {
destination {
port 65432
}
inbound-interface eth0
inside-address {
address 192.168.88.5
}
log disable
protocol tcp_udp
type destination
}
Disregarding specifics of this linux distribution I assume that ALL TCP and UDP packets should be forwarded to LAN and only filtered by [wan-lan] firewall rules. Am I right in this assumption? Because some packets designated to IP of eth0 and with dport satisfying DNAT rule, are still end up in [wan-local] firewall. Those packets are mostly TCP with following flags: ACK RST, RST, ACK FIN. Flow is not really active and there are no drops on eth0 during that time.
Am I missing something or iptables does not do its job 100% properly?
Thank you.
