SNAT: I'm going insane

All of lore.kernel.org
 help / color / mirror / Atom feed

* SNAT: I'm going insane
@ 2004-01-31  7:04 Brian Capouch
  2004-01-31 17:55 ` John A. Sullivan III
  2004-01-31 18:58 ` Mark E. Donaldson
  0 siblings, 2 replies; 8+ messages in thread
From: Brian Capouch @ 2004-01-31  7:04 UTC (permalink / raw)
  To: netfilter

This ought to be the simplest thing in the world, and I have rules like 
this that work.  I hope someone can see something glaringly wrong with 
what I'm doing here:

I want to SNAT all traffic from an internal address (10.2.2.2) to an 
external one.  So I add to my rules:

iptables -t nat -I POSTROUTING -s 10.2.2.2 -j SNAT --to-source 
206.230.187.15

I test and my ssh traffic is passing perfectly; I go out to machines on 
the net and they show me coming in from 206.230.187.15.

But some--BUT NOT ALL--of my UDP traffic seems to be heading out without 
any change.

A short sniff on the *output* interface shows:

02:31:56.696763 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos 
0x10] 

02:31:58.699259 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos 
0x10] 

02:32:06.704660 10.2.2.2.4569 > blah.blah.net.4569: udp 12 (DF) [tos 0x10

And the packet counters (which I reset for the test) show nothing 
passing through:

     0     0 SNAT       all  --  *      eth1    10.2.2.2 
0.0.0.0/0        to:206.230.187.15

UDP traffic going to port 5036, which is heading from this same machine 
to the same remote endpoint machine, gets NATted perfectly.

***************************************

Does anyone know what I'm doing wrong?  Other similar rules in this same 
table seem to be doing just what they need to. . . .

Thanks in advance for anyone who might be able to offer a potential 
explanation.

B.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: SNAT: I'm going insane
  2004-01-31  7:04 SNAT: I'm going insane Brian Capouch
@ 2004-01-31 17:55 ` John A. Sullivan III
  2004-01-31 18:58 ` Mark E. Donaldson
  1 sibling, 0 replies; 8+ messages in thread
From: John A. Sullivan III @ 2004-01-31 17:55 UTC (permalink / raw)
  To: Brian Capouch; +Cc: netfilter

On Sat, 2004-01-31 at 02:04, Brian Capouch wrote:
> This ought to be the simplest thing in the world, and I have rules like 
> this that work.  I hope someone can see something glaringly wrong with 
> what I'm doing here:
> 
> I want to SNAT all traffic from an internal address (10.2.2.2) to an 
> external one.  So I add to my rules:
> 
> iptables -t nat -I POSTROUTING -s 10.2.2.2 -j SNAT --to-source 
> 206.230.187.15
> 
> I test and my ssh traffic is passing perfectly; I go out to machines on 
> the net and they show me coming in from 206.230.187.15.
> 
> But some--BUT NOT ALL--of my UDP traffic seems to be heading out without 
> any change.
> 
> A short sniff on the *output* interface shows:
> 
> 02:31:56.696763 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos 
> 0x10] 
> 
> 02:31:58.699259 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos 
> 0x10] 
> 
> 02:32:06.704660 10.2.2.2.4569 > blah.blah.net.4569: udp 12 (DF) [tos 0x10
> 
> And the packet counters (which I reset for the test) show nothing 
> passing through:
> 
>      0     0 SNAT       all  --  *      eth1    10.2.2.2 
> 0.0.0.0/0        to:206.230.187.15
> 
> UDP traffic going to port 5036, which is heading from this same machine 
> to the same remote endpoint machine, gets NATted perfectly.
> 
> ***************************************
> 
> Does anyone know what I'm doing wrong?  Other similar rules in this same 
> table seem to be doing just what they need to. . . .
> 
> Thanks in advance for anyone who might be able to offer a potential 
> explanation.
> 
> B.

That sounds bizarre! Am I correct to assume that we know the packets are
arriving at the internal interface of the gateway because we see them
being passed in the clear on the public interface? That's how I
understood your e-mail.  Otherwise, I would start by making sure the
packets were arriving in the first place.

Is there any chance the unNATted packets are associated with an existing
packet flow and thus the POSTROUTING chain is being bypassed by
conntrack?

You may wish to place log rules at every step of the packet's traversal
through netfilter to see where the packet is being shunted.  That may
suddenly reveal this mysterious, insanity provoking behavior.  Good luck
- John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: SNAT: I'm going insane
  2004-01-31  7:04 SNAT: I'm going insane Brian Capouch
  2004-01-31 17:55 ` John A. Sullivan III
@ 2004-01-31 18:58 ` Mark E. Donaldson
  1 sibling, 0 replies; 8+ messages in thread
From: Mark E. Donaldson @ 2004-01-31 18:58 UTC (permalink / raw)
  To: 'Brian Capouch', netfilter

Is there any chance these packets are getting dropped before they get
SNATTED?  I don't know what your default policies are set to, nor your other
rules, but I would look at this possibility first.  I suggest you run
tcpdump and follow these packets to see what is happening to them.  Also,
you might enable logging of these packets as well to get some additional
information. 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Brian Capouch
Sent: Friday, January 30, 2004 11:05 PM
To: netfilter@lists.netfilter.org
Subject: SNAT: I'm going insane

This ought to be the simplest thing in the world, and I have rules like this
that work.  I hope someone can see something glaringly wrong with what I'm
doing here:

I want to SNAT all traffic from an internal address (10.2.2.2) to an
external one.  So I add to my rules:

iptables -t nat -I POSTROUTING -s 10.2.2.2 -j SNAT --to-source
206.230.187.15

I test and my ssh traffic is passing perfectly; I go out to machines on the
net and they show me coming in from 206.230.187.15.

But some--BUT NOT ALL--of my UDP traffic seems to be heading out without any
change.

A short sniff on the *output* interface shows:

02:31:56.696763 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos 0x10] 

02:31:58.699259 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos 0x10] 

02:32:06.704660 10.2.2.2.4569 > blah.blah.net.4569: udp 12 (DF) [tos 0x10

And the packet counters (which I reset for the test) show nothing passing
through:

     0     0 SNAT       all  --  *      eth1    10.2.2.2 
0.0.0.0/0        to:206.230.187.15

UDP traffic going to port 5036, which is heading from this same machine to
the same remote endpoint machine, gets NATted perfectly.

***************************************

Does anyone know what I'm doing wrong?  Other similar rules in this same
table seem to be doing just what they need to. . . .

Thanks in advance for anyone who might be able to offer a potential
explanation.

B.

^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: SNAT: I'm going insane
@ 2004-01-31 19:00 Carl Farrington
  2004-01-31 19:20 ` Mark E. Donaldson
  0 siblings, 1 reply; 8+ messages in thread
From: Carl Farrington @ 2004-01-31 19:00 UTC (permalink / raw)
  To: netfilter

Sorry to hijack your discussion so to speak, but this has raised my
curiosity. Why would someone want to do this? And for it to work,
presumably you would have 206.230.187.15 DNAT everything else back to
10.2.2.2 ?

Is it a bit like doing MASQ but without the full packet-modification?

> -----Original Message-----
> From: Brian Capouch [mailto:brianc@palaver.net]
> Sent: 31 January 2004 07:05
> To: netfilter@lists.netfilter.org
> Subject: SNAT: I'm going insane
> 
> This ought to be the simplest thing in the world, and I have rules
like
> this that work.  I hope someone can see something glaringly wrong with
> what I'm doing here:
> 
> I want to SNAT all traffic from an internal address (10.2.2.2) to an
> external one.  So I add to my rules:
> 
> iptables -t nat -I POSTROUTING -s 10.2.2.2 -j SNAT --to-source
> 206.230.187.15
> 
> I test and my ssh traffic is passing perfectly; I go out to machines
on
> the net and they show me coming in from 206.230.187.15.
> 
> But some--BUT NOT ALL--of my UDP traffic seems to be heading out
without
> any change.
> 
> A short sniff on the *output* interface shows:
> 
> 02:31:56.696763 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos
> 0x10]
> 
> 02:31:58.699259 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos
> 0x10]
> 
> 02:32:06.704660 10.2.2.2.4569 > blah.blah.net.4569: udp 12 (DF) [tos
0x10
> 
> And the packet counters (which I reset for the test) show nothing
> passing through:
> 
>      0     0 SNAT       all  --  *      eth1    10.2.2.2
> 0.0.0.0/0        to:206.230.187.15
> 
> UDP traffic going to port 5036, which is heading from this same
machine
> to the same remote endpoint machine, gets NATted perfectly.
> 
> ***************************************
> 
> Does anyone know what I'm doing wrong?  Other similar rules in this
same
> table seem to be doing just what they need to. . . .
> 
> Thanks in advance for anyone who might be able to offer a potential
> explanation.
> 
> B.



^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: SNAT: I'm going insane
  2004-01-31 19:00 Carl Farrington
@ 2004-01-31 19:20 ` Mark E. Donaldson
  0 siblings, 0 replies; 8+ messages in thread
From: Mark E. Donaldson @ 2004-01-31 19:20 UTC (permalink / raw)
  To: 'Carl Farrington', netfilter

Why would you want to DNAT all the return packets?  Assuming the connection
was established from the inside, should not the state table handle this?
Now, if you are permitting a new connection from the outside, then you would
of course want to DANT that through to the correct host.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Carl Farrington
Sent: Saturday, January 31, 2004 11:01 AM
To: netfilter@lists.netfilter.org
Subject: RE: SNAT: I'm going insane

Sorry to hijack your discussion so to speak, but this has raised my
curiosity. Why would someone want to do this? And for it to work, presumably
you would have 206.230.187.15 DNAT everything else back to
10.2.2.2 ?

Is it a bit like doing MASQ but without the full packet-modification?

> -----Original Message-----
> From: Brian Capouch [mailto:brianc@palaver.net]
> Sent: 31 January 2004 07:05
> To: netfilter@lists.netfilter.org
> Subject: SNAT: I'm going insane
> 
> This ought to be the simplest thing in the world, and I have rules
like
> this that work.  I hope someone can see something glaringly wrong with 
> what I'm doing here:
> 
> I want to SNAT all traffic from an internal address (10.2.2.2) to an 
> external one.  So I add to my rules:
> 
> iptables -t nat -I POSTROUTING -s 10.2.2.2 -j SNAT --to-source
> 206.230.187.15
> 
> I test and my ssh traffic is passing perfectly; I go out to machines
on
> the net and they show me coming in from 206.230.187.15.
> 
> But some--BUT NOT ALL--of my UDP traffic seems to be heading out
without
> any change.
> 
> A short sniff on the *output* interface shows:
> 
> 02:31:56.696763 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos 
> 0x10]
> 
> 02:31:58.699259 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos 
> 0x10]
> 
> 02:32:06.704660 10.2.2.2.4569 > blah.blah.net.4569: udp 12 (DF) [tos
0x10
> 
> And the packet counters (which I reset for the test) show nothing 
> passing through:
> 
>      0     0 SNAT       all  --  *      eth1    10.2.2.2
> 0.0.0.0/0        to:206.230.187.15
> 
> UDP traffic going to port 5036, which is heading from this same
machine
> to the same remote endpoint machine, gets NATted perfectly.
> 
> ***************************************
> 
> Does anyone know what I'm doing wrong?  Other similar rules in this
same
> table seem to be doing just what they need to. . . .
> 
> Thanks in advance for anyone who might be able to offer a potential 
> explanation.
> 
> B.





^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: SNAT: I'm going insane
@ 2004-01-31 19:22 Carl Farrington
  2004-01-31 19:37 ` Cedric Blancher
  0 siblings, 1 reply; 8+ messages in thread
From: Carl Farrington @ 2004-01-31 19:22 UTC (permalink / raw)
  To: netfilter

Guess I should read up on netfilter quite a bit more. So the state table
is an automagic thing that re-writes the return packets.. thanks.

> -----Original Message-----
> From: Mark E. Donaldson [mailto:markee@bandwidthco.com]
> Sent: 31 January 2004 19:21
> To: Carl Farrington; netfilter@lists.netfilter.org
> Subject: RE: SNAT: I'm going insane
> 
> Why would you want to DNAT all the return packets?  Assuming the
> connection
> was established from the inside, should not the state table handle
this?
> Now, if you are permitting a new connection from the outside, then you
> would
> of course want to DANT that through to the correct host.
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Carl
Farrington
> Sent: Saturday, January 31, 2004 11:01 AM
> To: netfilter@lists.netfilter.org
> Subject: RE: SNAT: I'm going insane
> 
> Sorry to hijack your discussion so to speak, but this has raised my
> curiosity. Why would someone want to do this? And for it to work,
> presumably
> you would have 206.230.187.15 DNAT everything else back to
> 10.2.2.2 ?
> 
> Is it a bit like doing MASQ but without the full packet-modification?
> 
> > -----Original Message-----
> > From: Brian Capouch [mailto:brianc@palaver.net]
> > Sent: 31 January 2004 07:05
> > To: netfilter@lists.netfilter.org
> > Subject: SNAT: I'm going insane
> >
> > This ought to be the simplest thing in the world, and I have rules
> like
> > this that work.  I hope someone can see something glaringly wrong
with
> > what I'm doing here:
> >
> > I want to SNAT all traffic from an internal address (10.2.2.2) to an
> > external one.  So I add to my rules:
> >
> > iptables -t nat -I POSTROUTING -s 10.2.2.2 -j SNAT --to-source
> > 206.230.187.15
> >
> > I test and my ssh traffic is passing perfectly; I go out to machines
> on
> > the net and they show me coming in from 206.230.187.15.
> >
> > But some--BUT NOT ALL--of my UDP traffic seems to be heading out
> without
> > any change.
> >
> > A short sniff on the *output* interface shows:
> >
> > 02:31:56.696763 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos
> > 0x10]
> >
> > 02:31:58.699259 10.2.2.2.4569 > blah.blah.net.4569: udp 25 (DF) [tos
> > 0x10]
> >
> > 02:32:06.704660 10.2.2.2.4569 > blah.blah.net.4569: udp 12 (DF) [tos
> 0x10
> >
> > And the packet counters (which I reset for the test) show nothing
> > passing through:
> >
> >      0     0 SNAT       all  --  *      eth1    10.2.2.2
> > 0.0.0.0/0        to:206.230.187.15
> >
> > UDP traffic going to port 5036, which is heading from this same
> machine
> > to the same remote endpoint machine, gets NATted perfectly.
> >
> > ***************************************
> >
> > Does anyone know what I'm doing wrong?  Other similar rules in this
> same
> > table seem to be doing just what they need to. . . .
> >
> > Thanks in advance for anyone who might be able to offer a potential
> > explanation.
> >
> > B.
> 
> 



^ permalink raw reply	[flat|nested] 8+ messages in thread

* RE: SNAT: I'm going insane
  2004-01-31 19:22 Carl Farrington
@ 2004-01-31 19:37 ` Cedric Blancher
       [not found]   ` <401C05E1.5030204@palaver.net>
  0 siblings, 1 reply; 8+ messages in thread
From: Cedric Blancher @ 2004-01-31 19:37 UTC (permalink / raw)
  To: Carl Farrington; +Cc: netfilter

Le sam 31/01/2004 à 20:22, Carl Farrington a écrit :
> Guess I should read up on netfilter quite a bit more. So the state table
> is an automagic thing that re-writes the return packets.. thanks.

Yes, because deNAT is handle through conntrack, prior to anything else.
Netfilter's NAT is very bound to conntrack as you can see. That's why
unNATing rules are not necessary.

Moreover, once a packet has been NATed, no other packet belonging to
this very connection will go through nat table. Which means you only see
the very first packet of each connection in nat table.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

^ permalink raw reply	[flat|nested] 8+ messages in thread

[parent not found: <401C05E1.5030204@palaver.net>]

* Re: SNAT: I'm going insane
       [not found]   ` <401C05E1.5030204@palaver.net>
@ 2004-01-31 21:06     ` Cedric Blancher
  0 siblings, 0 replies; 8+ messages in thread
From: Cedric Blancher @ 2004-01-31 21:06 UTC (permalink / raw)
  To: Brian Capouch; +Cc: netfilter

Le sam 31/01/2004 à 20:45, Brian Capouch a écrit :
> How do you see those connections?  "iptables -t nat -n -L -v" doesn't 
> show them.

You can't, there's no "ipchains -L -m" equivalent for Netfilter. You can
have a direct look at the conntrack table :

	cat /proc/net/ip_conntrack

You can also use netstat-nat tool that is available at :

	http://tweegy.demon.nl/projects/netstat-nat/index.html


PS : I put a Cc back to the list as this answer may interest someone ;)

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2004-01-31 21:06 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-31  7:04 SNAT: I'm going insane Brian Capouch
2004-01-31 17:55 ` John A. Sullivan III
2004-01-31 18:58 ` Mark E. Donaldson
  -- strict thread matches above, loose matches on Subject: below --
2004-01-31 19:00 Carl Farrington
2004-01-31 19:20 ` Mark E. Donaldson
2004-01-31 19:22 Carl Farrington
2004-01-31 19:37 ` Cedric Blancher
     [not found]   ` <401C05E1.5030204@palaver.net>
2004-01-31 21:06     ` Cedric Blancher

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.