All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] weird problem with ip+snat+tun0
@ 2004-10-10  1:42 Ciprian Niculescu
  0 siblings, 0 replies; only message in thread
From: Ciprian Niculescu @ 2004-10-10  1:42 UTC (permalink / raw)
  To: lartc

i have a box with 2 real interfaces and one more virtual
eth0 - to the internet (193....
eth1 - to the local net (192.168..)
tun0 - to another ISP

the routing is: all the free/local classes i send them directly on eth0, 
the rest of the internet i send throw tun0
the admin from tun0 wants me to snat all the packets with my end of the 
ip-tun0-interface
and i snat all the trafic that go to local/free nets

the problem is that on the tun0 i see packets with source adr my eth0 
and dest somewhere in the internet, and are only acks (i also see nated 
trafic), why????

ill start with some confs and at the end some descoveryes:

so a "ip rule" looks like:

0:      from all lookup local
32516:  from 192.168.40.0/24 lookup metro
32517:  from 192.168.40.254 lookup tunel
32518:  from 192.168.40.253 lookup tunel
..........
32765:  from 192.168.40.2 lookup tunel
32766:  from all lookup main
32767:  from all lookup default


an ip route list table metro have entres like:
84...0/17 via 193. dev eth0

an ip route list table tunel its only a default
default via 10.0.1.1 dev tun0

an the main have the directed connected nets and a def throw eth0

the iptables looks:

filter - empty
mangle - mark trafic for the tc part
nat - only
Chain POSTROUTING
   481 52825 SNAT all -- * tun0 192.168.40.0/24 0.0.0.0/0 to:10.0.1.2
   0     0 SNAT all -- * eth0 192.168.40.100 0.0.0.0/0 to:IP_IF_ETH0
........................


a tcpdump on tun0 gets
tcpdump -i tun0 -n | grep -v 10.0.1.2
IP_IF_ETH0.8181 > 24.129.71.219.42694: ack 2449728106 win 33870 (DF)
IP_IF_ETH0.8181 > 24.129.71.219.42694: ack 1 win 33870 (DF)
IP_IF_ETH0.8181 > 81.208.36.95.9195: . ack 272319646 win 65225 (DF)


so i begin to put accounting/logging rules in iptables with -s 
IP_IF_ETH0, i did in nat POSTROUTING, in filter OUTPUT,INPUT,FORWARD, 
and i got on OUTPUT

Oct 10 04:10:39 kernel: IN= OUT=eth0 SRC=IP_IF_ETH0 DSTÉ.175.129.103 
LEN@ TOS=0x00 PREC=0x00 TTLd ID=0 DF PROTO=TCP SPTÅ81 DPTH94 
WINDOW=0 RES=0x00 ACK RST URGP=0

so its a localgenerated packet that is marked to get out on eth0, but he 
gets on tun0. I presumes (pls confirm) that the label of the interface 
is put by the output_routing, and when he gets to the OUTPUT_conntrack 
its marked to get out on tun0 but dont modify the label, so he dont 
match my rule of snat -o tun0

how can i solve the problem, i dont see how, or its the config bad, or a 
bug :-)))

C
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2004-10-10  1:42 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-10-10  1:42 [LARTC] weird problem with ip+snat+tun0 Ciprian Niculescu

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.