Re: kernel 2.6 ipsec and DNAT

[Alexander Samad <alex@samad.com.au>]

[-- Attachment #1: Type: text/plain, Size: 2844 bytes --]

Hi

This is a known problem with netfilter and 2.6 and ipsec with the native
stack, there are fixs in pom-ng (Patch o matic), but this means building
your own kernel as it patches the kernel and the netfilter modules.  Not
to bad though, been doing this for a while and haven't had any majour
problems


Alex

On Fri, Sep 03, 2004 at 07:01:41PM +0200, Alain RICHARD wrote:
> Hi,
> 
> we are using iptables and ipsec since several years now (starting with 
> freeswan 1.0) without too much problems. We have now upgraded to the 
> 2.6 kernel (under Fedora 2) and Openswan 2.x.
> 
> Our setup works perfectly, with several dozens of tunnels up and 
> running. We have avoided the lake of ipsec0 interface by marking 
> packets (in fact this is great solution that enable us to separate 
> completely the firewall settings from the vpn tunnels).
> 
> The problem I am encountering now is that it seems that DNAT is not 
> working when the d-natted session is from a tunneled site. My settup is 
> :
> 
> 
> 192.168.1.0/24 local intranet
> 192.168.2.0/24 distant intranet
> 
> the ipsec tunnel is setup from distant to local in order to get all the 
> traffic passing into the local firewall (192.168.2.0/24 -> 0.0.0.0/0).
> 
> This works perfectly and all the traffic either intranet or internet 
> pass thru the local firewall.
> 
> The problem now is that I want now to redirect the web traffic to squid 
> using a classical transparent proxying :
> 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -m mark --mark 
> 0x50010000/0xFFFF0000 -j DNAT --to 192.168.1.99:3128
> 
> for an unknown reason, this is not working. On the 192.168.1.99 host, I 
> see the connexion arriving but not correctly coming up :
> 
> tethereal host 192.168.2.18
>   0.256680 192.168.2.18 -> 192.168.1.99 TCP 1166 > http [SYN] Seq=0 
> Ack=0 Win=64512 Len=0 MSS=1260
>   0.256718 192.168.1.99 -> 192.168.2.18 TCP http > 1166 [SYN, ACK] 
> Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
>   0.442346 192.168.2.18 -> 192.168.1.99 TCP 1024 > http [RST] Seq=0 
> Ack=0 Win=0 Len=0
> 
> the last line RST seams not to be issued by the 192.168.2.18 host, but 
> probably by the firewall/VPN gateway. I have also tried to set 
> /proc/sys/net/ipv4/conf/*/rp_filter to 0, but the problem is the same.
> 
> the same setup was correctly working under a kernel 2.4, so I think the 
> problem is about natting the vpn connexion.
> 
> Is there any problem like this under the current 2.6.8 kernel ? Do you 
> have any idea to try to bypass the problem ?
> 
> -------------------------------------------------------
> Alain RICHARD <mailto:alain.richard@equation.fr>
> EQUATION SA <http://www.equation.fr/>
> Tel : +33 477 79 48 00	 Fax : +33 477 79 48 01
> Applications client/serveur, ing?nierie r?seau et Linux
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]