From: Ciprian Niculescu <cnicules@4email.net>
To: lartc@vger.kernel.org
Subject: [LARTC] weird problem with ip+snat+tun0
Date: Sun, 10 Oct 2004 01:42:37 +0000 [thread overview]
Message-ID: <4168938D.5050708@4email.net> (raw)
i have a box with 2 real interfaces and one more virtual
eth0 - to the internet (193....
eth1 - to the local net (192.168..)
tun0 - to another ISP
the routing is: all the free/local classes i send them directly on eth0,
the rest of the internet i send throw tun0
the admin from tun0 wants me to snat all the packets with my end of the
ip-tun0-interface
and i snat all the trafic that go to local/free nets
the problem is that on the tun0 i see packets with source adr my eth0
and dest somewhere in the internet, and are only acks (i also see nated
trafic), why????
ill start with some confs and at the end some descoveryes:
so a "ip rule" looks like:
0: from all lookup local
32516: from 192.168.40.0/24 lookup metro
32517: from 192.168.40.254 lookup tunel
32518: from 192.168.40.253 lookup tunel
..........
32765: from 192.168.40.2 lookup tunel
32766: from all lookup main
32767: from all lookup default
an ip route list table metro have entres like:
84...0/17 via 193. dev eth0
an ip route list table tunel its only a default
default via 10.0.1.1 dev tun0
an the main have the directed connected nets and a def throw eth0
the iptables looks:
filter - empty
mangle - mark trafic for the tc part
nat - only
Chain POSTROUTING
481 52825 SNAT all -- * tun0 192.168.40.0/24 0.0.0.0/0 to:10.0.1.2
0 0 SNAT all -- * eth0 192.168.40.100 0.0.0.0/0 to:IP_IF_ETH0
........................
a tcpdump on tun0 gets
tcpdump -i tun0 -n | grep -v 10.0.1.2
IP_IF_ETH0.8181 > 24.129.71.219.42694: ack 2449728106 win 33870 (DF)
IP_IF_ETH0.8181 > 24.129.71.219.42694: ack 1 win 33870 (DF)
IP_IF_ETH0.8181 > 81.208.36.95.9195: . ack 272319646 win 65225 (DF)
so i begin to put accounting/logging rules in iptables with -s
IP_IF_ETH0, i did in nat POSTROUTING, in filter OUTPUT,INPUT,FORWARD,
and i got on OUTPUT
Oct 10 04:10:39 kernel: IN= OUT=eth0 SRC=IP_IF_ETH0 DSTÉ.175.129.103
LEN@ TOS=0x00 PREC=0x00 TTLd ID=0 DF PROTO=TCP SPTÅ81 DPTH94
WINDOW=0 RES=0x00 ACK RST URGP=0
so its a localgenerated packet that is marked to get out on eth0, but he
gets on tun0. I presumes (pls confirm) that the label of the interface
is put by the output_routing, and when he gets to the OUTPUT_conntrack
its marked to get out on tun0 but dont modify the label, so he dont
match my rule of snat -o tun0
how can i solve the problem, i dont see how, or its the config bad, or a
bug :-)))
C
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
reply other threads:[~2004-10-10 1:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4168938D.5050708@4email.net \
--to=cnicules@4email.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.