* [LARTC] Packet vanishes after mangle-prerouting.
@ 2006-02-17 8:28 Steve Tracey
2006-02-17 18:58 ` Paul Zirnik
2006-02-18 7:42 ` Steve Tracey
0 siblings, 2 replies; 3+ messages in thread
From: Steve Tracey @ 2006-02-17 8:28 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 2048 bytes --]
Can anyone tell me whether I have a routing problem, or
an openVPN problem, or something else? I've stared at this
for so long I think I must be looking in the wrong place!
I have 3 machines:
Machine A has single ethernet card, eth0, 192.168.5.5
Machine B has eth0, 192.168.5.? on the local net,
eth1, 81.2.x.y to the internet, and
tun0, 10.8.?.?, an openVPN tunnel, to C
Machine C has eth0 to the internet and
tun0, 10.8.?.?, back to B.
Out on the internet is machine D, a publicly accessible
http server - say 64.233.167.99, port 80.
Machine B is set, as per the howto, to mark packets from
A destined for D and route them out over tun0. Machine
C then masquerades them out to D.
I should mention that the tunnel works fine for access between
A (or B) and C. In particular C can happily ping A over the tunnel.
(And "everything else" is fine. "Normal" traffic has no problem.)
The problem is that A cannot get replies from D.
Using tcpdump and adding 'LOG' rules to iptables on A, B
and C shows the packet going from A to B to C and out to
D. The reply packet returns to C, crosses the tunnel to B
and promptly vanishes. A log rule in the mangle prerouting
list on B shows the packet from the tunnel:
Feb 17 07:48:54 B kernel: [mangle prerouting src]: IN=tun0 OUT= \
MAC= SRC=64.233.167.99 DST=192.168.5.5 LEN=44 \
TOS=0x00 PREC=0x00 TTL=48 ID=34487 DF PROTO=TCP \
SPT=80 DPT=32882 WINDOW=8000 RES=0x00 ACK SYN URGP=0
Similar log rules in mangle-prerouting, and in the forward (and
input) chains never log anything. The packet is never seen again.
Can anyone tell me where to look next? Is this a routing problem
or is something happening because of the tunnel setup? Or
something else???
(Machine B is fairly vanilla Debian stable with 2.4.18 kernel.)
Thanks for your patience!
---------------------------------
Brings words and photos together (easily) with
PhotoMail - it's free and works with Yahoo! Mail.
[-- Attachment #1.2: Type: text/html, Size: 2618 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] Packet vanishes after mangle-prerouting.
2006-02-17 8:28 [LARTC] Packet vanishes after mangle-prerouting Steve Tracey
@ 2006-02-17 18:58 ` Paul Zirnik
2006-02-18 7:42 ` Steve Tracey
1 sibling, 0 replies; 3+ messages in thread
From: Paul Zirnik @ 2006-02-17 18:58 UTC (permalink / raw)
To: lartc
On Friday 17 February 2006 09:28, Steve Tracey wrote:
> The problem is that A cannot get replies from D.
> Using tcpdump and adding 'LOG' rules to iptables on A, B
> and C shows the packet going from A to B to C and out to
> D. The reply packet returns to C, crosses the tunnel to B
> and promptly vanishes. A log rule in the mangle prerouting
> list on B shows the packet from the tunnel:
> Feb 17 07:48:54 B kernel: [mangle prerouting src]: IN=tun0 OUT= \
> MAC= SRCd.233.167.99 DST\x192.168.5.5 LEND \
> TOS=0x00 PREC=0x00 TTLH ID4487 DF PROTO=TCP \
> SPT€ DPT2882 WINDOW€00 RES=0x00 ACK SYN URGP=0
>
> Similar log rules in mangle-prerouting, and in the forward (and
> input) chains never log anything. The packet is never seen again.
>
> Can anyone tell me where to look next? Is this a routing problem
> or is something happening because of the tunnel setup? Or
> something else???
Looks like rp_filter catches this, try set rp_filter off on host B.
Because packets from the internet normaly should come through eth1 on
host B and not on tun0.
see: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN634
greets,
Tami
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] Packet vanishes after mangle-prerouting.
2006-02-17 8:28 [LARTC] Packet vanishes after mangle-prerouting Steve Tracey
2006-02-17 18:58 ` Paul Zirnik
@ 2006-02-18 7:42 ` Steve Tracey
1 sibling, 0 replies; 3+ messages in thread
From: Steve Tracey @ 2006-02-18 7:42 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 684 bytes --]
Got it in one! Thanks. All ok now.
I'll go and read up on all the other conf variables.
Thanks again.
Paul Zirnik <tami@disconnected.de> wrote:
Looks like rp_filter catches this, try set rp_filter off on host B.
Because packets from the internet normaly should come through eth1 on
host B and not on tun0.
see: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN634
greets,
Tami
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
---------------------------------
Brings words and photos together (easily) with
PhotoMail - it's free and works with Yahoo! Mail.
[-- Attachment #1.2: Type: text/html, Size: 963 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-02-18 7:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-02-17 8:28 [LARTC] Packet vanishes after mangle-prerouting Steve Tracey
2006-02-17 18:58 ` Paul Zirnik
2006-02-18 7:42 ` Steve Tracey
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.