From: Enrique Huerta de la Fuente <ehuerta@ixer.mx>
To: Andrew Beverley <andy@andybev.com>
Cc: netfilter@vger.kernel.org
Subject: Re: iptables udp 1195 MASQUERADE
Date: Mon, 6 Feb 2012 23:12:20 -0600 (CST) [thread overview]
Message-ID: <16986089.2736.1328591540466.JavaMail.root@ixer.mx> (raw)
In-Reply-To: <13902251.2734.1328591255561.JavaMail.root@ixer.mx>
>----- Mensaje original -----
>De: "Andrew Beverley" <andy@andybev.com>
>Para: ehuerta@ixer.mx
>CC: netfilter@vger.kernel.org
>Enviados: Sábado, 4 de Febrero 2012 13:58:32
>Asunto: Re: iptables udp 1195 MASQUERADE
>
>On Tue, 2012-01-24 at 17:34 -0600, Enrique Huerta de la Fuente wrote:
>> Hello
>>
>> I have OpenVPN (lan to lan)
>>
>> On site 1 (4 links)
>> - eth0 (LAN)
>> - eth1 (internet link)
>> - eth3 (enalce internet)
>> - ppp0 (internet link)
>> - Deafult gateway eth1
>>
>> On site 2 (3 links)
>> - eth0 (LAN)
>> - eth1 (internet link)
>> - ppp0 (internet link)
>> - Deafult gateway ppp0
>>
>> The eth3 interface (site 1) and the eth1 interface (site 2) are the
>> same supplier, the same mask.
>>
>> The VPN works with eth3 (site 1) <---> eth1 (site 2) and it works
>> great. We must not over because they are the same provider and does
>> not require the gateway.
>>
>> But if it fails any of the VPN link (eth3 o eth1), we need to change
>> links of VPN to ppp0 (site 1) <-----> ppp0 (site 2).
>>
>> Here's the problem!
>>
>> At site 1, the UPD packets should go out by ppp0 (the default gateway
>> is eth1). To do this:
>>
>> # Iptables-t nat-I POSTROUTING-p udp-m udp - dport 1195-o ppp0-j
>> MASQUERADE # Iptables-t mangle-I OUTPUT-p udp-m udp - dport 1195-j
>> MARK - set-mark 1
>
>Are you sure you've got this rule correct? Have you tried doing a LOG
>target to check that it is matching the packets that you would expect?
>
>>
>> So are the paths:
>>
>> # Ip rule ls
>> 0: from all lookup 255
>> 32757: from all fwmark 0x1 lookup infinitum
>> 32758: from 189.143.36.36 lookup infinitum
>> 32759: from 38.124.170.15 lookup bbs
>> 32766: from all lookup main
>>
>> # Ip route ls table infinitum
>> default via 189.143.36.36 dev ppp0
>>
>>
>> The problem is that no packets arrive from site 1 to the site 2. The
>> UDP packets arrive to site 1 from site 2
>>
>> I tested with port 22 (ssh) and it works.
>>
>> # Iptables-t nat-I POSTROUTING-m tcp-p tcp - dport 22-o ppp0-j
>> MASQUERADE # Iptables-t mangle-I OUTPUT-m tcp-p tcp - dport 22-j MARK
>> - set-mark 1
>>
>>
>> Any idea why that no UDP packets arrive to site 2?
>>
>> regards
>>
>> E.Huerta
>> -- To unsubscribe from this list: send the line "unsubscribe
>> netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
Hello Andrew, thank you for the attention.
I doing a log target to check the rule in each of the OUTPUT hooks (raw, mangle, nat and filter) and POSTROUTING hooks (mangle and nat).
kernel: OUTPUT-22-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=17619 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=304 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=284
kernel: OUTPUT-22-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=18917 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=416 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=396
kernel: OUTPUT-22-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19177 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=108
kernel: POSTROUTING-22-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19543 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: POSTROUTING-1195-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=160 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=140
In the out and POSTROUTING hooks in the NAT table, i can not do log.
In the last log, the output interface is already changing, but did not change the source address.
Apply the rule: "iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE", this masks the port 22 (tcp) but not the 1195 (udp), because I can connect via ssh.
It seems the problem is that does not mask the port 1195 (udp).
Any idea?
regards
E.Huerta
next parent reply other threads:[~2012-02-07 5:12 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <13902251.2734.1328591255561.JavaMail.root@ixer.mx>
2012-02-07 5:12 ` Enrique Huerta de la Fuente [this message]
2012-02-09 20:48 ` iptables udp 1195 MASQUERADE Andrew Beverley
[not found] <25775146.3320.1329329075047.JavaMail.root@ixer.mx>
2012-02-15 18:04 ` Enrique Huerta de la Fuente
[not found] <5260549.3200.1329242426858.JavaMail.root@ixer.mx>
2012-02-14 18:05 ` Enrique Huerta de la Fuente
2012-02-14 22:41 ` Sven-Haegar Koch
[not found] <19323396.2950.1328898736467.JavaMail.root@ixer.mx>
2012-02-10 18:36 ` Enrique Huerta de la Fuente
2012-02-10 20:05 ` Andrew Beverley
2012-02-10 22:55 ` Enrique Huerta de la Fuente
2012-02-11 9:13 ` SamLT
2012-02-14 17:18 ` Enrique Huerta de la Fuente
[not found] <5634144.2926.1328853844897.JavaMail.root@ixer.mx>
2012-02-10 6:05 ` Enrique Huerta de la Fuente
2012-02-10 15:57 ` Andrew Beverley
[not found] <26800503.2896.1328827967506.JavaMail.root@ixer.mx>
2012-02-10 5:44 ` Enrique Huerta de la Fuente
[not found] <13116495.2023.1327446410284.JavaMail.root@ixer.mx>
2012-01-24 23:34 ` Enrique Huerta de la Fuente
2012-02-04 19:58 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16986089.2736.1328591540466.JavaMail.root@ixer.mx \
--to=ehuerta@ixer.mx \
--cc=andy@andybev.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.