NAT translation problem - leakage of packets with original source address

NAT translation problem - leakage of packets with original source address

[Marcin Kabiesz]

Hello,
is it possible that with the OpenVPN interface tun0 every now and then 
some packets with a private source address are visible and forwarded to 
the router? because either it is intentional and I do not know or I 
found an error in the NAT translation that skips some packet and I see 
it on the router where the packet should not be, i.e. the router is a 
public addressing router, so in order for the packet to get there, the 
machine that sent it must exit at public which a few packages don't do 
....
I also reported the problem to kernel.org, but I don't know if netfilter 
is the right place.

1. server source with openvpn server
Mar 10 11:30:09 server kernel: [26083675.795216] Forward-Out: IN=tun0 
OUT=eno1 MAC= SRC=192.168.5.10 DST=216.58.209.10 LEN=52 TOS=0x00 
PREC=0x00 TTL=63 ID=64660 DF PROTO=TCP SPT=42296 DPT=443 SEQ=443014968 
ACK=3344394422 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT 
(0101080AD162AFE7A0460968)

2. server/router with only public addresses - default gateway
11:30:09.745326 xx:xx:xx:xx:xx:xx > zz:zz:zz:zz:zz:zz, ethertype 802.1Q 
(0x8100), length 64: vlan 1234, p 0, ethertype IPv4 (0x0800), (tos 0x0, 
ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
     192.168.5.10.42296 > 216.58.209.10.443: Flags [R], cksum 0xa055 
(correct), seq 443014968, win 0, length 0

3. NAT rule
Chain POSTROUTING (policy ACCEPT 65M packets, 5184M bytes)
  pkts bytes target     prot opt in     out     source               
destination
1905K  345M SNAT       all  --  *      eno1    192.168.5.0/24       
0.0.0.0/0            to:1.2.3.4 (my public IP)

4. why ?? passed or not ??

Regards

-- 
Marcin Kabiesz
Administrator Sieci IT

Re: NAT translation problem - leakage of packets with original source address

[Florian Westphal]

Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
> is it possible that with the OpenVPN interface tun0 every now and then some
> packets with a private source address are visible and forwarded to the
> router?

Yes, NAT is only applied to packets that conntrack considers sane/valid.

You can e.g. add a drop rule for INVALID packets.

Re: NAT translation problem - leakage of packets with original source address

[Marcin Kabiesz]

W dniu 2022-03-10 13:08, Florian Westphal napisał(a):
> Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
>> is it possible that with the OpenVPN interface tun0 every now and then 
>> some
>> packets with a private source address are visible and forwarded to the
>> router?
> 
> Yes, NAT is only applied to packets that conntrack considers 
> sane/valid.
> 
> You can e.g. add a drop rule for INVALID packets.

Welcome,
Thank you for your answer.
My question is where do I create a rule for invalid packets? in NAT 
POSTROUTING? or MANGLE POSTROUTING or other place leaving the server? I 
am waiting for your opinion.

-- 
Marcin Kabiesz
Administrator Sieci IT

Re: NAT translation problem - leakage of packets with original source address

[Florian Westphal]

Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
> My question is where do I create a rule for invalid packets? in NAT
> POSTROUTING? or MANGLE POSTROUTING or other place leaving the server? I am
> waiting for your opinion.

INVALID packets do not traverse NAT table, so NAT POSTROUTING won't
work.

I would suggest mangle postrouting or filter forward, depending on
wheter you want to include locally generated packets or not.

Re: NAT translation problem - leakage of packets with original source address

[Marcin Kabiesz]

W dniu 2022-03-10 15:53, Florian Westphal napisał(a):
> Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
>> My question is where do I create a rule for invalid packets? in NAT
>> POSTROUTING? or MANGLE POSTROUTING or other place leaving the server? 
>> I am
>> waiting for your opinion.
> 
> INVALID packets do not traverse NAT table, so NAT POSTROUTING won't
> work.
> 
> I would suggest mangle postrouting or filter forward, depending on
> wheter you want to include locally generated packets or not.

Welcome,
I did as you wrote and even added the option to filter local networks 
before entering NAT and still get traffic from the network for this 
machine.

There is a 192.168.10.x / 24 network on this router and I can see its 
packets as if NAT is running even though it is clearly told to replace 
the source IP in the header. The POSTROUTING rule for INVALID does not 
work because nothing gets caught in it.

This router NAT (not BGP - BGP is default Gateway)

Chain POSTROUTING (policy ACCEPT 1170K packets, 1616M bytes)
  pkts bytes target     prot opt in     out     source               
destination
84216 8212K ACCEPT     all  --  *      eth0.2  192.168.10.0/24      
0.0.0.0/0
  552K   46M ACCEPT     all  --  *      eth0.2  192.168.11.0/24      
0.0.0.0/0
     0     0 ACCEPT     all  --  *      eth0.2  192.168.12.0/24      
0.0.0.0/0
     0     0 DROP       all  --  *      eth0.2  192.168.0.0/16       
0.0.0.0/0
     0     0 DROP       tcp  --  *      eth0.2  0.0.0.0/0            
0.0.0.0/0            state INVALID

and

Chain POSTROUTING (policy ACCEPT 30780 packets, 2009K bytes)
  pkts bytes target     prot opt in     out     source               
destination
  117K   17M SNAT       all  --  *      eth0.2  192.168.10.0/24      
0.0.0.0/0            to:1.2.3.4
  558K   77M SNAT       all  --  *      eth0.2  192.168.11.0/24      
0.0.0.0/0            to:1.2.3.4
  1629  256K SNAT       all  --  *      eth0.2  192.168.12.0/24      
0.0.0.0/0            to:1.2.3.4

My Router (BGP router) packet: (I shouldn't have seen it and here I can 
see ...)

10:09:28.879415 xx:xx:xx:xx:xx:xx > zz:zz:zz:zz:zz:zz, ethertype 802.1Q 
(0x8100), length 64: vlan 1234, p 0, ethertype IPv4 (0x0800), (tos 0x0, 
ttl 127, id 20066, offset 0, flags [DF], proto TCP (6), length 40)
     192.168.10.206.57808 > 108.177.14.189.443: Flags [R.], cksum 0x3ba1 
(correct), seq 2045590905, ack 4040794494, win 0, length 0

Please help / hint.

-- 
Marcin Kabiesz
Administrator Sieci IT

Re: NAT translation problem - leakage of packets with original source address

[Florian Westphal]

Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
> Chain POSTROUTING (policy ACCEPT 1170K packets, 1616M bytes)
>  pkts bytes target     prot opt in     out     source
> destination
> 84216 8212K ACCEPT     all  --  *      eth0.2  192.168.10.0/24
> 0.0.0.0/0
>  552K   46M ACCEPT     all  --  *      eth0.2  192.168.11.0/24
> 0.0.0.0/0
>     0     0 ACCEPT     all  --  *      eth0.2  192.168.12.0/24
> 0.0.0.0/0
>     0     0 DROP       all  --  *      eth0.2  192.168.0.0/16
> 0.0.0.0/0
>     0     0 DROP       tcp  --  *      eth0.2  0.0.0.0/0
> 0.0.0.0/0            state INVALID

I suspect you need to move the INVALID rule to the beginning,
else packets might get accepted by earlier rule.

Re: NAT translation problem - leakage of packets with original source address

[Marcin Kabiesz]

W dniu 2022-03-11 13:53, Florian Westphal napisał(a):
> Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
>> Chain POSTROUTING (policy ACCEPT 1170K packets, 1616M bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> 84216 8212K ACCEPT     all  --  *      eth0.2  192.168.10.0/24
>> 0.0.0.0/0
>>  552K   46M ACCEPT     all  --  *      eth0.2  192.168.11.0/24
>> 0.0.0.0/0
>>     0     0 ACCEPT     all  --  *      eth0.2  192.168.12.0/24
>> 0.0.0.0/0
>>     0     0 DROP       all  --  *      eth0.2  192.168.0.0/16
>> 0.0.0.0/0
>>     0     0 DROP       tcp  --  *      eth0.2  0.0.0.0/0
>> 0.0.0.0/0            state INVALID
> 
> I suspect you need to move the INVALID rule to the beginning,
> else packets might get accepted by earlier rule.

Hello,
this is how i coped with this problem. Thank you for all your help :)

https://bugzilla.netfilter.org/show_bug.cgi?id=1115

I checked and filtered INVALID accordingly and it works :)

-- 
Marcin Kabiesz
Administrator Sieci IT