From: "Tim Evans" <tkevans@tkevans.com>
To: Jason Opperisano <opie@817west.com>, netfilter@lists.netfilter.org
Subject: Re: Resend: MASQUERADE: Route sent us somewhere else.
Date: Tue, 5 Apr 2005 12:12:38 -0400 [thread overview]
Message-ID: <20050405161238.M71851@tkevans.com> (raw)
In-Reply-To: <20050405145028.GA2620@bender.817west.com>
[-- Attachment #1: Type: text/plain, Size: 1146 bytes --]
On Tue, 5 Apr 2005 10:50:28 -0400, Jason Opperisano wrote
> the gist of that error message is this: the output interface for
> this packet according to the routing table is different from the
> interface we are doing a lookup on for the MASQ IP. i cannot fathom
> how you could get this message with a standard inside/outside
> interfaces, single default gateway, firewall machine.
>
> without seeing some rules[1], some routing tables[2], and some addressing
> info[3], i'm pretty sure no one is going to be able to divine what
> the problem is.
>
> the reason you're seeing this after an upgrade is because this bug reared
> it's head somewhere around 2.4.23 and later kernels (someone else probably
> has a better memory than me).
>
> -j
>
> [1] iptables -t mangle -vnxL; iptables -t nat -vnxL; iptables -vnxL
> [2] ip ro sh
> [3] ip -4 -o addr sh
Thanks, again.
Please see the attached outputs of each of these commands.
--
Tim Evans, TKEvans.com, Inc. | 5 Chestnut Court
tkevans@tkevans.com | Owings Mills, MD 21117
http://www.tkevans.com/ | 443-394-3864
http://www.come-here.com/News/ |
[-- Attachment #2: mangle.out --]
[-- Type: application/octet-stream, Size: 790 bytes --]
Chain PREROUTING (policy ACCEPT 145883 packets, 30299061 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4992 packets, 854197 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 140831 packets, 29442464 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2218 packets, 256772 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 143002 packets, 29687892 bytes)
pkts bytes target prot opt in out source destination
[-- Attachment #3: nat.out --]
[-- Type: application/octet-stream, Size: 929 bytes --]
Chain PREROUTING (policy ACCEPT 14728 packets, 1311911 bytes)
pkts bytes target prot opt in out source destination
11 524 DNAT tcp -- * * 0.0.0.0/0 69.251.52.64 tcp dpt:22 to:192.168.252.3
Chain POSTROUTING (policy ACCEPT 7 packets, 364 bytes)
pkts bytes target prot opt in out source destination
3 164 SNAT tcp -- * * 0.0.0.0/0 192.168.252.3 tcp dpt:22 to:192.168.252.5
12745 792138 MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 726 packets, 53160 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 69.251.52.64 tcp dpt:22 to:192.168.252.3
[-- Attachment #4: all.out --]
[-- Type: application/octet-stream, Size: 5690 bytes --]
Chain INPUT (policy DROP 1164 packets, 339611 bytes)
pkts bytes target prot opt in out source destination
1890 231383 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
2835 324223 ACCEPT all -- eth0 * 192.168.252.0/24 0.0.0.0/0
96 11986 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 192.168.252.255
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
1008 181579 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
173 8936 tcp_packets tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
991 330675 udpincoming_packets udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
23 3688 icmp_packets icmp -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 216.158.56.113 192.168.252.3 tcp dpt:22
0 0 ACCEPT tcp -- * * 207.245.84.72 192.168.252.3 tcp dpt:22
0 0 ACCEPT tcp -- * * 199.173.224.20 192.168.252.3 tcp dpt:22
0 0 ACCEPT tcp -- * * 199.173.224.2 192.168.252.3 tcp dpt:22
0 0 ACCEPT tcp -- * * 199.173.225.21 192.168.252.3 tcp dpt:22
0 0 ACCEPT tcp -- * * 147.140.12.128 192.168.252.3 tcp dpt:22
802 229382 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT INPUT packet died: '
Chain FORWARD (policy DROP 8 packets, 360 bytes)
pkts bytes target prot opt in out source destination
123395 27830181 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
76379 6657523 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
64793 22816129 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 216.158.56.113 192.168.252.3 tcp dpt:22
2 120 ACCEPT tcp -- * * 207.245.84.72 192.168.252.3 tcp dpt:22
0 0 ACCEPT tcp -- * * 147.140.12.128 192.168.252.3 tcp dpt:22
0 0 ACCEPT tcp -- * * 199.173.224.20 192.168.252.3 tcp dpt:22
1 44 ACCEPT tcp -- * * 199.173.224.2 192.168.252.3 tcp dpt:22
0 0 ACCEPT tcp -- * * 199.173.225.21 192.168.252.3 tcp dpt:22
0 0 ACCEPT tcp -- * eth1 192.168.252.3 0.0.0.0/0 tcp spt:22
8 360 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT FORWARD packet died: '
Chain OUTPUT (policy DROP 10 packets, 760 bytes)
pkts bytes target prot opt in out source destination
1435 208898 bad_tcp_packets tcp -- * * 0.0.0.0/0 0.0.0.0/0
96 11986 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
1121 127751 ACCEPT all -- * * 192.168.252.5 0.0.0.0/0
1076 117843 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
10 760 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 3 LOG flags 0 level 7 prefix `IPT OUTPUT packet died: '
Chain allowed (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain bad_tcp_packets (3 references)
pkts bytes target prot opt in out source destination
64 13844 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW LOG flags 0 level 4 prefix `New not syn:'
64 13844 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
Chain icmp_packets (1 references)
pkts bytes target prot opt in out source destination
23 3688 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
Chain tcp_packets (1 references)
pkts bytes target prot opt in out source destination
Chain udpincoming_packets (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT udp -- * * 172.30.12.34 0.0.0.0/0 udp spt:67 dpt:68
[-- Attachment #5: route.out --]
[-- Type: application/octet-stream, Size: 250 bytes --]
192.168.252.0/24 dev eth0 proto kernel scope link src 192.168.252.5
69.251.48.0/21 dev eth1 proto kernel scope link src 69.251.52.64
169.254.0.0/16 dev eth1 scope link
default via 69.251.48.1 dev eth1
default via 192.168.252.254 dev eth0
[-- Attachment #6: addressing.out --]
[-- Type: application/octet-stream, Size: 199 bytes --]
1: lo inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0 inet 192.168.252.5/24 brd 192.168.252.255 scope global eth0
3: eth1 inet 69.251.52.64/21 brd 69.251.55.255 scope global eth1
next prev parent reply other threads:[~2005-04-05 16:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-05 10:35 Resend: MASQUERADE: Route sent us somewhere else Tim Evans
2005-04-05 14:50 ` Jason Opperisano
2005-04-05 16:12 ` Tim Evans [this message]
2005-04-05 17:03 ` Jason Opperisano
2005-04-05 17:24 ` Tim Evans
-- strict thread matches above, loose matches on Subject: below --
2005-04-04 21:55 Tim Evans
2005-04-05 4:49 ` Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050405161238.M71851@tkevans.com \
--to=tkevans@tkevans.com \
--cc=netfilter@lists.netfilter.org \
--cc=opie@817west.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.