iptables SNAT misses some packets

Ygrex · 04-09-2010, 06:55 AM

Hi,

I've noticed few packets behind the NAT, which should be NATed, but they are not.

In other words. My NAT:

Code:

iptables -A POSTROUTING -s 192.168.1.0/24 \! -d 192.168.0.0/16 -j SNAT --to-source 22.33.44.55

eth0 with 22.33.44.55 - Internet gw
eth1 with 192.168.1.254 - Intranet gw

Then:

Code:

tcpdump -i eth0 -ne 'net 192.168.1.0/24'

And it sometimes outputs something. It all works generally, but distinct packets for some reason passes SNAT w/o altering src. These packets definetely reach the next gateway, I see them on the other side as well.

Thanks in advance,

Igor

nimnull22 · 04-09-2010, 10:01 AM

-s 192.168.1.0/24 \! -d 192.168.0.0/16 -j SNAT --to-source 22.33.44.55

Can you describe it in words, please. Especially about "\!" part.

Thanks

Ygrex · 04-09-2010, 01:07 PM

Quote:

Originally Posted by nimnull22

-s 192.168.1.0/24 \! -d 192.168.0.0/16 -j SNAT --to-source 22.33.44.55

Can you describe it in words, please. Especially about "\!" part.

it must do (and definetely does) NAT for any host from 192.168.1.0/24 to 22.33.44.55; meantime I do not want to NAT a local traffic; no other rules in NAT table

then, simetimes I see on eth0 smth like:

Quote:

IP 192.168.1.4.50226 > 74.125.77.19.443: F 253979169:253979169(0) ack 3081852170 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: R 1:1(0) ack 1 win 0

Ygrex · 04-09-2010, 01:25 PM

I've tried to flush NetFilter's connections with 'conntrack -F' and there's some effect: number of such packets (with a FIN flag) considerably increased

nimnull22 · 04-09-2010, 01:38 PM

Try like this:

iptables -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 22.33.44.55

Ygrex · 04-09-2010, 02:23 PM

how could a subnet exception cause such a problem (= security caveat)? the only reason is an iptables' bug, I think; there's must be something else more probable

nimnull22 · 04-09-2010, 02:43 PM

How would you act as a driver, if three passengers in your car start to ask you to do different things at ones?

You have to give to iptables as simple and effective rules as possible, and please, read about iptables - believe me it works just fine. This is perfect driver, problems with passengers.

Ygrex · 04-09-2010, 03:06 PM

netfilter is a complex system; why do you suspicious a good working rule in a nat table?

nimnull22 · 04-09-2010, 03:15 PM

Because when you said "NAT table" in reality you talk about SNAT, which needs specific conditions for proper functionality. Your condition was confusing and was not single-valued.

Ygrex · 04-09-2010, 03:29 PM

I still do not understand your idea, why a TCP like "192.168.1.4.50226 > 74.125.77.19.443" can pass POSTROUTING in NAT without any altering, but should be captured if I remove a local traffic exclusion?

nimnull22 · 04-09-2010, 03:43 PM

Do you still have that problem?

Ygrex · 04-10-2010, 02:27 PM

Quote:

Originally Posted by nimnull22

Do you still have that problem?

yes, I've described it in the first post; I'll post here a solution when find one

nimnull22 · 04-10-2010, 02:34 PM

Did you try what I suggest?

Ygrex · 04-12-2010, 04:39 AM

Quote:

Originally Posted by nimnull22

Did you try what I suggest?

no

The solution:

Code:

iptables -A FORWARD -s 192.168.0.0/16 \! -d 192.168.0.0/16 -m state --state INVALID -j DROP

I'm not sure, but it seems INVALID connections pass NAT without altering

cola · 04-16-2010, 06:51 AM

Quote:

Originally Posted by Ygrex

no

The solution:

Code:

iptables -A FORWARD -s 192.168.0.0/16 \! -d 192.168.0.0/16 -m state --state INVALID -j DROP

I'm not sure, but it seems INVALID connections pass NAT without altering

Is the problem solved?