NAT breaks my TCP SYN/ACK?

NAT breaks my TCP SYN/ACK?

[Emmanuel Guiton]

Hei!

I've written a target module which for the moment performs only a simple 
redirection as follows (I took masquerade and redirect as examples to 
write this):

    newrange= ((struct ip_nat_multi_range)
    {
        1,
        {{
            IP_NAT_RANGE_PROTO_SPECIFIED | IP_NAT_RANGE_MAP_IPS,
            new_ip_target,
            new_ip_target,
            {sd_data->min_napt_port},
            {sd_data->max_napt_port}
        }}
    });

ip_nat_setup_info(conntrack, &newrange, hooknum)  /*hooknum is pre-routing*/


In my tests, I'm trying from a host at adress X to reach a website at 
address Y. However this website does not exist on that address but on 
address Z. Thus, basically in my target, I change address Y for Z. But 
the connection to the website is refused, and tcpdump shows the following:

17:25:21.568709 11.11.11.10.1262 > 10.10.10.10.www: SWE 
1338652779:1338652779(0) win 5840 <mss 1460,sackOK,timestamp 
8306468[|tcp]> (DF)
17:25:21.569136 10.10.10.10.www > 11.11.11.10.1262: R 0:0(0) ack 
1338652780 win 0 (DF)

(while if it was working it should be:
17:24:04.590007 11.11.11.10.1261 > 10.10.10.10.www: SWE 
1266184733:1266184733(0) win 5840 <mss 1460,sackOK,timestamp 
8298770[|tcp]> (DF)
17:24:04.590344 10.10.10.10.www > 11.11.11.10.1261: SE 
312659779:312659779(0) ack 1266184734 win 5792 <mss 
1460,sackOK,timestamp 8644814[|tcp]> (DF)
)

Does anyone has an idea about what happens to my SYN/ACK packet? Why is 
it modified like that?

               Emmanuel

Re: NAT breaks my TCP SYN/ACK?

[Henrik Nordstrom]

On Tue, 16 Dec 2003, Emmanuel Guiton wrote:

> In my tests, I'm trying from a host at adress X to reach a website at 
> address Y. However this website does not exist on that address but on 
> address Z. Thus, basically in my target, I change address Y for Z. But 
> the connection to the website is refused, and tcpdump shows the following:
> 
> 17:25:21.568709 11.11.11.10.1262 > 10.10.10.10.www: SWE 
> 1338652779:1338652779(0) win 5840 <mss 1460,sackOK,timestamp 
> 8306468[|tcp]> (DF)
> 17:25:21.569136 10.10.10.10.www > 11.11.11.10.1262: R 0:0(0) ack 
> 1338652780 win 0 (DF)

What does tcpdump on the "website" indicate?

My quess is that the port is not mapped correcly causing the SYN to hit 
another port on the server than you intended.

Regards
Henrik

Re: NAT breaks my TCP SYN/ACK?

[Emmanuel Guiton]

Hei!

Sorry for my late answer, I wasn't really at work these last days.

Henrik Nordstrom wrote:

>On Tue, 16 Dec 2003, Emmanuel Guiton wrote:
>
>  
>
>>In my tests, I'm trying from a host at adress X to reach a website at 
>>address Y. However this website does not exist on that address but on 
>>address Z. Thus, basically in my target, I change address Y for Z. But 
>>the connection to the website is refused, and tcpdump shows the following:
>>
>>17:25:21.568709 11.11.11.10.1262 > 10.10.10.10.www: SWE 
>>1338652779:1338652779(0) win 5840 <mss 1460,sackOK,timestamp 
>>8306468[|tcp]> (DF)
>>17:25:21.569136 10.10.10.10.www > 11.11.11.10.1262: R 0:0(0) ack 
>>1338652780 win 0 (DF)
>>    
>>
>
>What does tcpdump on the "website" indicate?
>
>My quess is that the port is not mapped correcly causing the SYN to hit 
>another port on the server than you intended.
>  
>
You are right, I gathered a few more data and that's it:

11:12:41.535710 11.11.11.10.1266 > pc104.4: SWE 2321994237:2321994237(0) 
win 5840 <mss 1460,sackOK,timestamp 31990183[|tcp]> (DF)
11:12:41.535941 pc104.4 > 11.11.11.10.1266: R 0:0(0) ack 2321994238 win 
0 (DF)

The port here is 4 instead of being 80. I'm going to investigate this.
Thanks,

         Emmanuel