[SOLVED] internal vlan address

guy_sarav · 08-08-2021, 08:31 AM

hi,
i have a external ip address on my machine on eth0 interface 172.16.81.155.
i have created a dummy interface eth0:2 and assigned 173.1.1.2
i run a server application by opening a socket binding to 173.1.1.2

i setup iptables rules as below:

Quote:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 49155 -j DNAT --to-destination 173.1.1.2
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 49155 -d 173.1.1.2 -j SNAT --to-source 170.1.1.2
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d 173.1.1.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -s 173.1.1.2 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -s 173.1.1.2 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d 173.1.1.2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t raw -I PREROUTING -d 173.1.1.2 -j DROP

now from another PC, which has ip address of 172.16.81.13 i run a client program to connect to 172.16.81.155 ip.

above works fine.

i remove this dummy eth0:2 interface and replace with a vlan interface eth0.2 by below commands:

Quote:

ip link add link eth0 name eth0.2 type vlan id 2
ip link
ip -d link show eth0.2
ip link set dev eth0.2 up
sleep 1
ifconfig eth0.2 173.1.1.2 up

and on the peer end i create a vlan with id 2.

then if i run server and client programs, it doesnt work.
tcpdump:

Quote:

20:44:54.968921 IP 172.16.81.13.49155 > 172.16.81.155.49155: Flags [S], seq 46399127, win 64240, options [mss 1460,sackOK,TS val 3169100 ecr 0,nop,wscale 7], length 0
20:44:54.969009 IP 172.16.81.155.49155 > 172.16.81.13.49155: Flags [R.], seq 0, ack 46399128, win 0, length 0
20:44:56.026205 IP 172.16.81.13.49155 > 172.16.81.155.49155: Flags [S], seq 46399127, win 64240, options [mss 1460,sackOK,TS val 3170157 ecr 0,nop,wscale 7], length 0

any inputs will be appreciated

Ser Olmy · 08-08-2021, 03:06 PM

You should explain plainly what you're trying to accomplish, rather than just posting excerpts from your firewall ruleset and expecting us to figure out how it's supposed to work.

I noticed one thing though: Your ruleset contains two rules explicitly referencing the interface "eth0". Those rules will be applied to any aliases as well, such as "eth0:2", as aliases is just a (deprecated) way of adding multiple IP addresses to the same interface. They will however NOT be applied to interfaces such as "eth0.2", as a VLAN interface is a Layer 2 interface in its own right.

guy_sarav · 08-08-2021, 09:03 PM

Quote:

Originally Posted by Ser Olmy

You should explain plainly what you're trying to accomplish, rather than just posting excerpts from your firewall ruleset and expecting us to figure out how it's supposed to work.

I noticed one thing though: Your ruleset contains two rules explicitly referencing the interface "eth0". Those rules will be applied to any aliases as well, such as "eth0:2", as aliases is just a (deprecated) way of adding multiple IP addresses to the same interface. They will however NOT be applied to interfaces such as "eth0.2", as a VLAN interface is a Layer 2 interface in its own right.

thanks for your reply. sorry had not included what is the objective:
1. Have one physical interface eth0 on a target, with 172.16.81.155 as the ip address to communicate with other nodes (for untagged normal traffic processing)
2. Have to run a socket server on top of VLAN interface. (tagged packets). had created eth0.2 interface for this purpose (173.1.1.2)
3. On the peer side, it will have ip address of 172.16.81.13. A client will be running on VLAN interface and try connecting to 172.16.81.155 as the server ip

in plain terms on a single physical interface, and single ip address i should be able to have VLAN and normal traffic, but VLAN traffic should land on a different interface/ip address so that i can run my custom server applications

i hope this makes sense

guy_sarav · 08-08-2021, 09:25 PM

tcpdump with -xxxx -vvv: tcpdump captured from 172.16.81.13:

Code:

tcpdump: listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:10:16.532154 IP (tos 0x0, ttl 64, id 4267, offset 0, flags [DF], proto TCP (6), length 60)
    fedora.49155 > 172.16.81.155.49155: Flags [S], cksum 0xfaf7 (incorrect -> 0x7840), seq 2341844327, win 64240, options [mss 1460,sackOK,TS val 8263811 ecr 0,nop,wscale 7], length 0
    0x0000:  0004 95a0 7372 c025 a524 4931 8100 0002
    0x0010:  0800 4500 003c 10ab 4000 4006 2f48 ac10
    0x0020:  510d ac10 519b c003 c003 8b95 b567 0000
    0x0030:  0000 a002 faf0 faf7 0000 0204 05b4 0402
    0x0040:  080a 007e 1883 0000 0000 0103 0307
10:10:16.532325 IP (tos 0x0, ttl 64, id 27765, offset 0, flags [DF], proto TCP (6), length 40)
    172.16.81.155.49155 > fedora.49155: Flags [R.], cksum 0xf401 (correct), seq 0, ack 2341844328, win 0, length 0
    0x0000:  c025 a524 4931 0004 95a0 7372 0800 4500
    0x0010:  0028 6c75 4000 4006 d391 ac10 519b ac10
    0x0020:  510d c003 c003 0000 0000 8b95 b568 5014
    0x0030:  0000 f401 0000 0000 0000 0000
10:10:17.535646 IP (tos 0x0, ttl 64, id 4268, offset 0, flags [DF], proto TCP (6), length 60)
    fedora.49155 > 172.16.81.155.49155: Flags [S], cksum 0xfaf7 (incorrect -> 0x7454), seq 2341844327, win 64240, options [mss 1460,sackOK,TS val 8264815 ecr 0,nop,wscale 7], length 0
    0x0000:  0004 95a0 7372 c025 a524 4931 8100 0002
    0x0010:  0800 4500 003c 10ac 4000 4006 2f47 ac10
    0x0020:  510d ac10 519b c003 c003 8b95 b567 0000
    0x0030:  0000 a002 faf0 faf7 0000 0204 05b4 0402
    0x0040:  080a 007e 1c6f 0000 0000 0103 0307
10:10:17.535821 IP (tos 0x0, ttl 64, id 27843, offset 0, flags [DF], proto TCP (6), length 40)
    172.16.81.155.49155 > fedora.49155: Flags [R.], cksum 0xf401 (correct), seq 0, ack 1, win 0, length 0
    0x0000:  c025 a524 4931 0004 95a0 7372 0800 4500
    0x0010:  0028 6cc3 4000 4006 d343 ac10 519b ac10
    0x0020:  510d c003 c003 0000 0000 8b95 b568 5014
    0x0030:  0000 f401 0000 0000 0000 0000

tcpdump captured from 172.16.81.155

-

Code:

bash-4.3# tcpdump -xxxx -vvv port 49155
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:09:49.679023 IP (tos 0x0, ttl 64, id 4267, offset 0, flags [DF], proto TCP (6), length 60)
    172.16.81.13.49155 > 172.16.81.155.49155: Flags [S], cksum 0x7840 (correct), seq 2341844327, win 64240, options [mss 1460,sackOK,TS val 8263811 ecr 0,nop,wscale 7], length 0
    0x0000:  0004 95a0 7372 c025 a524 4931 8100 0002
    0x0010:  0800 4500 003c 10ab 4000 4006 2f48 ac10
    0x0020:  510d ac10 519b c003 c003 8b95 b567 0000
    0x0030:  0000 a002 faf0 7840 0000 0204 05b4 0402
    0x0040:  080a 007e 1883 0000 0000 0103 0307
22:09:49.679106 IP (tos 0x0, ttl 64, id 27765, offset 0, flags [DF], proto TCP (6), length 40)
    172.16.81.155.49155 > 172.16.81.13.49155: Flags [R.], cksum 0xf401 (correct), seq 0, ack 2341844328, win 0, length 0
    0x0000:  c025 a524 4931 0004 95a0 7372 0800 4500
    0x0010:  0028 6c75 4000 4006 d391 ac10 519b ac10
    0x0020:  510d c003 c003 0000 0000 8b95 b568 5014
    0x0030:  0000 f401 0000
22:09:50.682517 IP (tos 0x0, ttl 64, id 4268, offset 0, flags [DF], proto TCP (6), length 60)
    172.16.81.13.49155 > 172.16.81.155.49155: Flags [S], cksum 0x7454 (correct), seq 2341844327, win 64240, options [mss 1460,sackOK,TS val 8264815 ecr 0,nop,wscale 7], length 0
    0x0000:  0004 95a0 7372 c025 a524 4931 8100 0002
    0x0010:  0800 4500 003c 10ac 4000 4006 2f47 ac10
    0x0020:  510d ac10 519b c003 c003 8b95 b567 0000
    0x0030:  0000 a002 faf0 7454 0000 0204 05b4 0402
    0x0040:  080a 007e 1c6f 0000 0000 0103 0307
22:09:50.682591 IP (tos 0x0, ttl 64, id 27843, offset 0, flags [DF], proto TCP (6), length 40)
    172.16.81.155.49155 > 172.16.81.13.49155: Flags [R.], cksum 0xf401 (correct), seq 0, ack 1, win 0, length 0
    0x0000:  c025 a524 4931 0004 95a0 7372 0800 4500
    0x0010:  0028 6cc3 4000 4006 d343 ac10 519b ac10
    0x0020:  510d c003 c003 0000 0000 8b95 b568 5014
    0x0030:  0000 f401 0000

frankbell · 08-08-2021, 10:03 PM

Please surround any terminal output with "code" tags which become available when you click the "Advanced" button beneath the compose/edit post window. It makes terminal output much easier to read.

And please tell us what you are trying to accomplish. Context matters.

guy_sarav · 08-08-2021, 11:28 PM

Quote:

Originally Posted by frankbell

Please surround any terminal output with "code" tags which become available when you click the "Advanced" button beneath the compose/edit post window. It makes terminal output much easier to read.

And please tell us what you are trying to accomplish. Context matters.

1. Have one physical interface eth0 on a target, with 172.16.81.155 as the ip address to communicate with other nodes (for untagged normal traffic processing)
2. Have to run a socket server on top of VLAN interface. (tagged packets). had created eth0.2 interface for this purpose (173.1.1.2)
3. On the peer side, it will have ip address of 172.16.81.13 (VLAN interface). A client will be running on VLAN interface and try connecting to 172.16.81.155 as the server ip

in plain terms on a single physical interface, and single ip address (visible outside) i should be able to have VLAN and normal traffic, but VLAN traffic should land on a different ip address so that i can run my custom server applications by binding to that VLAN interface

guy_sarav · 08-09-2021, 11:09 AM

from tcpdump already quoted it is clear that when 172.16.81.13 is trying to open the socket communication it is indeed sending vlan tagged packet. however when 172.16.81.155 is replying back it is sending untagged packet with RST flag set.