LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables SNAT misses some packets (https://www.linuxquestions.org/questions/linux-networking-3/iptables-snat-misses-some-packets-801004/)

Ygrex 04-09-2010 06:55 AM
iptables SNAT misses some packets
 
Hi,

I've noticed few packets behind the NAT, which should be NATed, but they are not.

In other words. My NAT:
Code:
iptables -A POSTROUTING -s 192.168.1.0/24 \! -d 192.168.0.0/16 -j SNAT --to-source 22.33.44.55
eth0 with 22.33.44.55 - Internet gw
eth1 with 192.168.1.254 - Intranet gw

Then:
Code:
tcpdump -i eth0 -ne 'net 192.168.1.0/24'
And it sometimes outputs something. It all works generally, but distinct packets for some reason passes SNAT w/o altering src. These packets definetely reach the next gateway, I see them on the other side as well.

Thanks in advance,

Igor

nimnull22 04-09-2010 10:01 AM
-s 192.168.1.0/24 \! -d 192.168.0.0/16 -j SNAT --to-source 22.33.44.55

Can you describe it in words, please. Especially about "\!" part.

Thanks

Ygrex 04-09-2010 01:07 PM
Quote:
Originally Posted by nimnull22 (Post 3929999)
-s 192.168.1.0/24 \! -d 192.168.0.0/16 -j SNAT --to-source 22.33.44.55

Can you describe it in words, please. Especially about "\!" part.
it must do (and definetely does) NAT for any host from 192.168.1.0/24 to 22.33.44.55; meantime I do not want to NAT a local traffic; no other rules in NAT table

then, simetimes I see on eth0 smth like:
Quote:
IP 192.168.1.4.50226 > 74.125.77.19.443: F 253979169:253979169(0) ack 3081852170 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: F 0:0(0) ack 1 win 16445
IP 192.168.1.4.50226 > 74.125.77.19.443: R 1:1(0) ack 1 win 0

Ygrex 04-09-2010 01:25 PM
I've tried to flush NetFilter's connections with 'conntrack -F' and there's some effect: number of such packets (with a FIN flag) considerably increased

nimnull22 04-09-2010 01:38 PM
Try like this:

iptables -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 22.33.44.55

Ygrex 04-09-2010 02:23 PM
how could a subnet exception cause such a problem (= security caveat)? the only reason is an iptables' bug, I think; there's must be something else more probable

nimnull22 04-09-2010 02:43 PM
How would you act as a driver, if three passengers in your car start to ask you to do different things at ones?

You have to give to iptables as simple and effective rules as possible, and please, read about iptables - believe me it works just fine. This is perfect driver, problems with passengers.

Ygrex 04-09-2010 03:06 PM
netfilter is a complex system; why do you suspicious a good working rule in a nat table?

nimnull22 04-09-2010 03:15 PM
Because when you said "NAT table" in reality you talk about SNAT, which needs specific conditions for proper functionality. Your condition was confusing and was not single-valued.

Ygrex 04-09-2010 03:29 PM
I still do not understand your idea, why a TCP like "192.168.1.4.50226 > 74.125.77.19.443" can pass POSTROUTING in NAT without any altering, but should be captured if I remove a local traffic exclusion?

nimnull22 04-09-2010 03:43 PM
Do you still have that problem?

Ygrex 04-10-2010 02:27 PM
Quote:
Originally Posted by nimnull22 (Post 3930314)
Do you still have that problem?
yes, I've described it in the first post; I'll post here a solution when find one

nimnull22 04-10-2010 02:34 PM
Did you try what I suggest?

Ygrex 04-12-2010 04:39 AM
Quote:
Originally Posted by nimnull22 (Post 3931159)
Did you try what I suggest?
no

The solution:
Code:
iptables -A FORWARD -s 192.168.0.0/16 \! -d 192.168.0.0/16 -m state --state INVALID -j DROP
I'm not sure, but it seems INVALID connections pass NAT without altering

cola 04-16-2010 06:51 AM
Quote:
Originally Posted by Ygrex (Post 3932643)
no

The solution:
Code:
iptables -A FORWARD -s 192.168.0.0/16 \! -d 192.168.0.0/16 -m state --state INVALID -j DROP
I'm not sure, but it seems INVALID connections pass NAT without altering
Is the problem solved?

SuperJediWombat! 04-16-2010 11:48 AM
Where does tcpdump capture the packet in the stream? Relative to the netfilter table traversal that is.

Ygrex 04-17-2010 05:57 AM
Quote:
Originally Posted by cola (Post 3937485)
Is the problem solved?
Yes in practice.
Though I do not understand the matter, then I've redirected the question to NetFilter mailing list. No answer yet.

Ygrex 04-17-2010 06:04 AM
Quote:
Originally Posted by SuperJediWombat! (Post 3937796)
Where does tcpdump capture the packet in the stream? Relative to the netfilter table traversal that is.
tcpdump seems to be between NetFilter and a physical interface


All times are GMT -5. The time now is 05:26 AM.