From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Erik S. Johansen" Date: Sun, 09 Apr 2006 18:42:42 +0000 Subject: [LARTC] Conntrack, nat and multipath - what is wrong here? Message-Id: <200604092142.47556.lists@sperling.no> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============0372266859==" List-Id: To: lartc@vger.kernel.org --===============0372266859== Content-Type: multipart/signed; boundary="nextPart1891839.yaMuhzynNr"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit --nextPart1891839.yaMuhzynNr Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline I have a gentoo 2.6.14 box with 4 nics, LAN/DMZ/PUB1/PUB2 LAN and DMZ have a 1918 /22 each, PUB1 and PUB2 have a /29 each of which 5 = ips=20 are assigned. Using the mangle table, I give all packets a mark (according to local=20 policies) in the range 1-10. Using ip rule, i pass marks 1-5 through the pu= b1=20 route table, and marks 6-10 through the pub2 routing table. Using the nat=20 table, I SNAT to one of the 10 IPs assigned from the two /29's. 1) Now, if i remove the default route (via PUB1 gw) from the main table,=20 everything halts. Why?=20 2) If I pass a forwarded tcp syn packet out on the PUB2 interface, with the= =20 correct SNAT ip, I can see the syn+ack returning from the external server.= =20 Logging then indicates that this packet gets passed through=20 mangle/PREROUTING, after which it appears to simply be lost. It's definitel= y=20 not going out on any of the 4 NICs. This contrasts with packets being passe= d=20 out on PUB1, where everything works fine, conntrack recognizes the syn+ack= =20 and the reply gets correctly forwarded to the LAN box i'm using to test. It= =20 *seems* like conntrack simply is not able to match the incoming syn+ack wit= h=20 the outgoing syn. BUT, if i try to connect to the dsl router on PUB2,=20 everything's fine. I suspect i got something very wrong with my routing=20 rules/tables, but I can't figure out what. Addresses shown are sanitized, 1.1.1.136/29 is PUB1, 2.2.2.116/29 is PUB2,= =20 3.3.3.* is the external server i've been testing against. eth0: LAN eth1: DMZ eth2: PUB2 eth3: PUB1 eos ~ # ip rule show 0: from all lookup local 30000: from all fwmark 0x1 lookup pub1 30000: from all fwmark 0x2 lookup pub1 30000: from all fwmark 0x3 lookup pub1 30000: from all fwmark 0x4 lookup pub1 30000: from all fwmark 0x5 lookup pub1 30000: from all fwmark 0x6 lookup pub2 30000: from all fwmark 0x7 lookup pub2 30000: from all fwmark 0x8 lookup pub2 30000: from all fwmark 0x9 lookup pub2 30000: from all fwmark 0xa lookup pub2 31000: from 1.1.1.139 lookup pub1 31000: from 1.1.1.140 lookup pub1 31000: from 1.1.1.141 lookup pub1 31000: from 1.1.1.142 lookup pub1 31000: from 1.1.1.137 lookup pub1 31000: from 2.2.2.218 lookup pub2 31000: from 2.2.2.219 lookup pub2 31000: from 2.2.2.220 lookup pub2 31000: from 2.2.2.221 lookup pub2 31000: from 2.2.2.222 lookup pub2 33000: from all lookup main eos ~ # ip route show table pub1 1.1.1.136/29 dev eth3 scope link src 1.1.1.139 2.2.2.216/29 dev eth2 scope link src 2.2.2.218 192.168.4.0/22 dev eth1 scope link src 192.168.4.1 192.168.0.0/22 dev eth0 scope link src 192.168.0.1 127.0.0.0/8 dev lo scope link default via 1.1.1.138 dev eth3 eos ~ # ip route show table pub2 1.1.1.136/29 dev eth3 scope link src 1.1.1.139 2.2.2.216/29 dev eth2 scope link src 2.2.2.218 192.168.4.0/22 dev eth1 scope link src 192.168.4.1 192.168.0.0/22 dev eth0 scope link src 192.168.0.1 127.0.0.0/8 dev lo scope link default via 2.2.2.217 dev eth2 eos ~ # ip route show table main 1.1.1.136/29 dev eth3 proto kernel scope link src 1.1.1.139 2.2.2.216/29 dev eth2 proto kernel scope link src 2.2.2.218 192.168.4.0/22 dev eth1 proto kernel scope link src 192.168.4.1 192.168.0.0/22 dev eth0 proto kernel scope link src 192.168.0.1 127.0.0.0/8 dev lo scope link default via 1.1.1.138 dev eth3 eos ~ # iptables -t filter -nvL Chain INPUT (policy ACCEPT 5314 packets, 2615K bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `filter/INPUT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `filter/INPUT:' Chain FORWARD (policy ACCEPT 184K packets, 162M bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `filter/FORWARD:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `filter/FORWARD:' Chain OUTPUT (policy ACCEPT 2261 packets, 277K bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `filter/OUTPUT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `filter/OUTPUT:' eos ~ # iptables -t mangle -nvL Chain PREROUTING (policy ACCEPT 188K packets, 165M bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/PREROUTING:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/PREROUTING:' 2 468 MARK14 all -- * * 0.0.0.0/0 =20 192.168.4.0/22 state NEW 2903 2444K MARK13 all -- * * 0.0.0.0/0 =20 192.168.0.0/22 state NEW 60 6098 MARK12 all -- * * 0.0.0.0/0 =20 1.1.1.136/29 state NEW 1692 136K MARK11 all -- * * 0.0.0.0/0 =20 2.2.2.216/29 state NEW 0 0 MARK6 tcp -- eth0 * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 state NEW 109 5232 MARK6 tcp -- eth0 * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:119 state NEW 54 2592 MARK6 tcp -- eth1 * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:119 state NEW 0 0 MARK2 all -- * * 192.168.1.20 =20 213.239.111.0/29 state NEW 3223 243K MARK10 all -- eth1 * 0.0.0.0/0 0.0.0.0= /0 =20 state NEW 1054 66052 MARK1 all -- eth0 * 0.0.0.0/0 0.0.0.0= /0 =20 state NEW Chain INPUT (policy ACCEPT 5409 packets, 2648K bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/INPUT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/INPUT:' Chain FORWARD (policy ACCEPT 188K packets, 165M bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/FORWARD:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/FORWARD:' Chain OUTPUT (policy ACCEPT 2302 packets, 283K bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/OUTPUT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/OUTPUT:' Chain POSTROUTING (policy ACCEPT 190K packets, 165M bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/POSTROUTING:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/POSTROUTING:' Chain MARK1 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK1:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK1:' 1054 66052 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0x1 1054 66052 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK10 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK10:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK10:' 3223 243K MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0xa 3223 243K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK11 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK11:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK11:' 1692 136K MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0xb 1692 136K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK12 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK12:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK12:' 60 6098 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0xc 60 6098 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK13 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK13:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK13:' 2903 2444K MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0xd 2903 2444K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK14 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK14:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK14:' 2 468 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0xe 2 468 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK2 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK2:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK2:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0x2 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK3 (0 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK3:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK3:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0x3 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK4 (0 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK4:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK4:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0x4 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK5 (0 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK5:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK5:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0x5 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK6 (3 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK6:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK6:' 163 7824 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0x6 163 7824 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK7 (0 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK7:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK7:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0x7 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK8 (0 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK8:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK8:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0x8 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain MARK9 (0 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK9:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK9:' 0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK set 0x9 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 eos ~ # iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 5623 packets, 453K bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/PREROUTING:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/PREROUTING:' Chain POSTROUTING (policy ACCEPT 10 packets, 607 bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/POSTROUTING:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/POSTROUTING:' 1053 66000 SNAT_1 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0x1 0 0 SNAT_2 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0x2 0 0 SNAT_3 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0x3 0 0 SNAT_4 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0x4 0 0 SNAT_5 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0x5 168 8064 SNAT_6 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0x6 0 0 SNAT_7 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0x7 0 0 SNAT_8 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0x8 0 0 SNAT_9 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0x9 2606 211K SNAT_10 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0xa 0 0 SNAT_11 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0xb 0 0 SNAT_12 all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 MARK match 0xc Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/OUTPUT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/OUTPUT:' Chain SNAT_1 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_1:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_1:' 1053 66000 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:1.1.1.139 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_10 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_10:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_10:' 2606 211K SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:2.2.2.222 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_11 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_11:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_11:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:2.2.2.218 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_12 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_12:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_12:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:1.1.1.139 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_13 (0 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_13:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_13:' 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_14 (0 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_14:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_14:' 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_2 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_2:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_2:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:1.1.1.140 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_3 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_3:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_3:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:1.1.1.141 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_4 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_4:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_4:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:1.1.1.142 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_5 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_5:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_5:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:1.1.1.137 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_6 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_6:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_6:' 168 8064 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:2.2.2.218 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_7 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_7:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_7:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:2.2.2.219 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_8 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_8:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_8:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:2.2.2.220 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Chain SNAT_9 (1 references) pkts bytes target prot opt in out source =20 destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_9:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0= /0 =20 tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_9:' 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0= /0 =20 to:2.2.2.221 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0= /0 Logging/tcpdump from an attempt to connect to port 25 on a remote server: Apr 9 21:55:47 eos mangle/PREROUTING:IN=3Deth0 OUT=3D=20 MAC=3D00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=3D192.168.1.20 DST=3D3.= 3.3.228=20 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D64 ID=3D41341 DF PROTO=3DTCP SPT=3D53= 218 DPT=3D25=20 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:55:47 eos mangle/MARK6:IN=3Deth0 OUT=3D=20 MAC=3D00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=3D192.168.1.20 DST=3D3.= 3.3.228=20 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D64 ID=3D41341 DF PROTO=3DTCP SPT=3D53= 218 DPT=3D25=20 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:55:47 eos nat/PREROUTING:IN=3Deth0 OUT=3D=20 MAC=3D00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=3D192.168.1.20 DST=3D3.= 3.3.228=20 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D64 ID=3D41341 DF PROTO=3DTCP SPT=3D53= 218 DPT=3D25=20 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:55:47 eos mangle/FORWARD:IN=3Deth0 OUT=3Deth2 SRC=3D192.168.1.20= =20 DST=3D3.3.3.228 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D63 ID=3D41341 DF PROT= O=3DTCP=20 SPT=3D53218 DPT=3D25 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:55:47 eos filter/FORWARD:IN=3Deth0 OUT=3Deth2 SRC=3D192.168.1.20= =20 DST=3D3.3.3.228 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D63 ID=3D41341 DF PROT= O=3DTCP=20 SPT=3D53218 DPT=3D25 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:55:47 eos mangle/POSTROUTING:IN=3D OUT=3Deth2 SRC=3D192.168.1.20= =20 DST=3D3.3.3.228 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D63 ID=3D41341 DF PROT= O=3DTCP=20 SPT=3D53218 DPT=3D25 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:55:47 eos nat/POSTROUTING:IN=3D OUT=3Deth2 SRC=3D192.168.1.20=20 DST=3D3.3.3.228 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D63 ID=3D41341 DF PROT= O=3DTCP=20 SPT=3D53218 DPT=3D25 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:55:47 eos nat/SNAT_6:IN=3D OUT=3Deth2 SRC=3D192.168.1.20 DST=3D3.= 3.3.228=20 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D63 ID=3D41341 DF PROTO=3DTCP SPT=3D53= 218 DPT=3D25=20 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:55:48 eos mangle/PREROUTING:IN=3Deth2 OUT=3D=20 MAC=3D00:08:a1:90:aa:a1:00:14:7f:03:e5:1c:08:00 SRC=3D3.3.3.228 DST=3D2.2.2= =2E218=20 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D51 ID=3D0 DF PROTO=3DTCP SPT=3D25 DPT= =3D53218=20 WINDOW=3D5792 RES=3D0x00 ACK SYN URGP=3D0 Apr 9 21:55:52 eos mangle/PREROUTING:IN=3Deth2 OUT=3D=20 MAC=3D00:08:a1:90:aa:a1:00:14:7f:03:e5:1c:08:00 SRC=3D3.3.3.228 DST=3D2.2.2= =2E218=20 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D51 ID=3D0 DF PROTO=3DTCP SPT=3D25 DPT= =3D53218=20 WINDOW=3D5792 RES=3D0x00 ACK SYN URGP=3D0 tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 by= tes 21:55:47.998524 IP (tos 0x10, ttl 63, id 41341, offset 0, flags [DF], prot= o:=20 TCP (6), length: 60) 2.2.2.218.53218 > 3.3.3.228.25: S, cksum 0x6efb=20 (correct), 2404082705:2404082705(0) win 5840 21:55:48.179397 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TC= P=20 (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0x0b36 (correct),= =20 58918797:58918797(0) ack 2404082706 win 5792 21:55:52.175813 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TC= P=20 (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0xfb9a (correct),= =20 58918797:58918797(0) ack 2404082706 win 5792 21:55:58.175073 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TC= P=20 (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0xe42a (correct),= =20 58918797:58918797(0) ack 2404082706 win 5792 21:55:58.775150 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TC= P=20 (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53217: S, cksum 0xc92d (correct),= =20 4258850729:4258850729(0) ack 2314333557 win 5792 21:56:10.177052 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TC= P=20 (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0xb54a (correct),= =20 58918797:58918797(0) ack 2404082706 win 5792 Logging/tcpdump from an attempt to connect to port 25 on the PUB2 dsl route= r,=20 this works: Apr 9 21:56:52 eos mangle/PREROUTING:IN=3Deth0 OUT=3D=20 MAC=3D00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=3D192.168.1.20 DST=3D2.= 2.2.217=20 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D64 ID=3D34524 DF PROTO=3DTCP SPT=3D55= 398 DPT=3D25=20 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:56:52 eos mangle/MARK11:IN=3Deth0 OUT=3D=20 MAC=3D00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=3D192.168.1.20 DST=3D2.= 2.2.217=20 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D64 ID=3D34524 DF PROTO=3DTCP SPT=3D55= 398 DPT=3D25=20 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:56:52 eos nat/PREROUTING:IN=3Deth0 OUT=3D=20 MAC=3D00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=3D192.168.1.20 DST=3D2.= 2.2.217=20 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D64 ID=3D34524 DF PROTO=3DTCP SPT=3D55= 398 DPT=3D25=20 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:56:52 eos mangle/FORWARD:IN=3Deth0 OUT=3Deth2 SRC=3D192.168.1.20= =20 DST=3D2.2.2.217 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D63 ID=3D34524 DF PROT= O=3DTCP=20 SPT=3D55398 DPT=3D25 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:56:52 eos filter/FORWARD:IN=3Deth0 OUT=3Deth2 SRC=3D192.168.1.20= =20 DST=3D2.2.2.217 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D63 ID=3D34524 DF PROT= O=3DTCP=20 SPT=3D55398 DPT=3D25 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:56:52 eos mangle/POSTROUTING:IN=3D OUT=3Deth2 SRC=3D192.168.1.20= =20 DST=3D2.2.2.217 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D63 ID=3D34524 DF PROT= O=3DTCP=20 SPT=3D55398 DPT=3D25 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:56:52 eos nat/POSTROUTING:IN=3D OUT=3Deth2 SRC=3D192.168.1.20=20 DST=3D2.2.2.217 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D63 ID=3D34524 DF PROT= O=3DTCP=20 SPT=3D55398 DPT=3D25 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:56:52 eos nat/SNAT_11:IN=3D OUT=3Deth2 SRC=3D192.168.1.20 DST=3D2= =2E2.2.217=20 LEN=3D60 TOS=3D0x10 PREC=3D0x00 TTL=3D63 ID=3D34524 DF PROTO=3DTCP SPT=3D55= 398 DPT=3D25=20 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0 Apr 9 21:56:52 eos mangle/PREROUTING:IN=3Deth2 OUT=3D=20 MAC=3D00:08:a1:90:aa:a1:00:14:7f:03:e5:1c:08:00 SRC=3D2.2.2.217 DST=3D2.2.2= =2E218=20 LEN=3D40 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D46172 PROTO=3DTCP SPT=3D25 DP= T=3D55398 WINDOW=3D0=20 RES=3D0x00 ACK RST URGP=3D0 Apr 9 21:56:52 eos mangle/FORWARD:IN=3Deth2 OUT=3Deth0 SRC=3D2.2.2.217=20 DST=3D192.168.1.20 LEN=3D40 TOS=3D0x00 PREC=3D0x00 TTL=3D63 ID=3D46172 PROT= O=3DTCP SPT=3D25=20 DPT=3D55398 WINDOW=3D0 RES=3D0x00 ACK RST URGP=3D0 Apr 9 21:56:52 eos filter/FORWARD:IN=3Deth2 OUT=3Deth0 SRC=3D2.2.2.217=20 DST=3D192.168.1.20 LEN=3D40 TOS=3D0x00 PREC=3D0x00 TTL=3D63 ID=3D46172 PROT= O=3DTCP SPT=3D25=20 DPT=3D55398 WINDOW=3D0 RES=3D0x00 ACK RST URGP=3D0 Apr 9 21:56:52 eos mangle/POSTROUTING:IN=3D OUT=3Deth0 SRC=3D2.2.2.217=20 DST=3D192.168.1.20 LEN=3D40 TOS=3D0x00 PREC=3D0x00 TTL=3D63 ID=3D46172 PROT= O=3DTCP SPT=3D25=20 DPT=3D55398 WINDOW=3D0 RES=3D0x00 ACK RST URGP=3D0 tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 by= tes 21:56:52.306357 IP (tos 0x10, ttl 63, id 34524, offset 0, flags [DF], prot= o:=20 TCP (6), length: 60) 2.2.2.218.55398 > 2.2.2.217.25: S, cksum 0xaa49=20 (correct), 2474919495:2474919495(0) win 5840 21:56:52.306836 IP (tos 0x0, ttl 64, id 46172, offset 0, flags [none], pro= to:=20 TCP (6), length: 40) 2.2.2.217.25 > 2.2.2.218.55398: R, cksum 0x7679=20 (correct), 0:0(0) ack 2474919496 win 0 21:57:22.589506 IP (tos 0x0, ttl 51, id 0, offset 0, flags [DF], proto: TC= P=20 (6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0x9a78 (correct),= =20 58918797:58918797(0) ack 2404082706 win 5792 =2D-E.S. Johansen --nextPart1891839.yaMuhzynNr Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1-ecc0.1.6 (GNU/Linux) iD8DBQBEOVWnds9m9uhAobARAuZ/AJ9hK6kQmsd6rEfCn2OT9FTbIXbNIgCeIvbr 77dhdtDrzfx/w/PupesCCFc= =y3L1 -----END PGP SIGNATURE----- --nextPart1891839.yaMuhzynNr-- --===============0372266859== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============0372266859==--