From: n_dahlem@gmx.net
To: netfilter-devel@lists.netfilter.org
Subject: nat: expected connection only works one way
Date: Mon, 27 Oct 2003 15:28:09 +0100 (MET) [thread overview]
Message-ID: <26158.1067264889@www3.gmx.net> (raw)
This is my setup:
Host1(172.30.8.100) --> Masq(172.30.8.1/10.20.10.213) --> Server(10.20.0.14)
<-- Host2(10.20.10.198)
<-------------------------------------------------------------------
A Master connection is established between Host1 and Server.
Host1 and Host2 negotiate connection parameters via the Server.
Then related data connections are established between Host1 and Host2
directly.
The control-connection is established and an expectation is created:
> conntrack: help: expect_related 10.20.10.213:5006-10.20.10.198:5020
cat /proc/net/ip_conntrack shows:
> EXPECTING: 4979 use=1 proto=17 src=10.20.10.198 dst=10.20.10.213
sport=5020 dport=5006
I receive packets on the related connection, the log shows:
> nat_expected: were in
> nat_expected: We have a connection!
> master ORIG tuple c1f48060: 17 172.30.8.100:33161216 0 -> 10.20.0.14:0
> master REPLY tuple c1f48090: 17 10.20.0.14:331612160 -> 10.20.10.213:0
> ct ORIG tuple c1f485e0: 17 10.20.10.198:32899072 0 -> 10.20.10.213:0
> ct REPLY tuple c1f48610: 17 10.20.10.213:32807321 6 -> 10.20.10.198:0
> nat_expected: connection 10.20.10.198->172.30.8.100
> MANIP_DST
> nat_expected: IP to 172.30.8.100
.....
> nat_expected: were in
> nat_expected: We have a connection!
> master ORIG tuple c1f48060: 17 172.30.8.100:33161216 0 -> 10.20.0.14:0
> master REPLY tuple c1f48090: 17 10.20.0.14:331612160 -> 10.20.10.213:0
> ct ORIG tuple c1f485e0: 17 10.20.10.198:32899072 0 -> 10.20.10.213:0
> ct REPLY tuple c1f48610: 17 172.30.8.100:32807321 6 -> 10.20.10.198:0
> nat_expected: connection 10.20.10.198->172.30.8.100
> MANIP_SRC
> nat_expected: IP to 10.20.10.198
Using Ethereal between Host2 and Masq I see packets:
10.20.10.198:5020 -> 10.20.10.213:5006
Sniffing between Masq and Host1, one can see that the packets coming from
host2 get nat'd and an answer is send:
10.20.10.198:5020 -> 172.30.8.100:5006
172.30.8.100:5006 -> 10.20.10.213:5020
/proc/net/ip_conntrack shows:
> udp 17 27 src=10.20.10.198 dst=10.20.10.213 sport=5020 dport=5006
[UNREPLIED]
> src=172.30.8.100 dst=10.20.10.198 sport=5006 dport=5020 use=1
> udp 17 27 src=172.30.8.100 dst=10.20.10.213 sport=5006 dport=5020
[UNREPLIED]
> src=10.20.10.213 dst=172.30.8.100 sport=5020 dport=5006 use=1
The answer isn't nat'd and never reaches the other side.
What am I missing ?
kind regards
Nikolai
--
NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien...
Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService
Jetzt kostenlos anmelden unter http://www.gmx.net
+++ GMX - die erste Adresse für Mail, Message, More! +++
next reply other threads:[~2003-10-27 14:28 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-27 14:28 n_dahlem [this message]
2003-10-28 8:38 ` nat: expected connection only works one way Philip Craig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=26158.1067264889@www3.gmx.net \
--to=n_dahlem@gmx.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.