MASQUERADE

MASQUERADE

[Payal Rathod]

Hi,
Is there any different way to do MASQUERADE in kernel 2.6.3-7  with
iptables v1.2.9?
I get,

# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables: Invalid argument

A quick look at the man page did not suggest anything.
Any ideas to what is missing?

With warm regards,
-Payal

Re: MASQUERADE

[Erik Wikström]

On Fri, Jul 09, 2004 at 09:19:58AM +0530, Payal Rathod wrote:

> Hi,
> Is there any different way to do MASQUERADE in kernel 2.6.3-7  with
> iptables v1.2.9?
> I get,
> 
> # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> iptables: Invalid argument
> 
> A quick look at the man page did not suggest anything.
> Any ideas to what is missing?
> 
> With warm regards,
> -Payal
> 
First of all I'd like to say that I'm in no way an expert but are you
sure that you have the right stuff compiled in kernel or as modules? In
2.6.7 I had to select to compile MASQUERADE in the kernel, same thing
with the mangle table if I remember correctly.

--
Erik Wikström

Re: MASQUERADE

[Antony Stone]

On Friday 09 July 2004 11:35 am, Erik Wikström wrote:

> On Fri, Jul 09, 2004 at 09:19:58AM +0530, Payal Rathod wrote:
> > Hi,
> > Is there any different way to do MASQUERADE in kernel 2.6.3-7  with
> > iptables v1.2.9?
> > I get,
> >
> > # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> > iptables: Invalid argument
> >
> > A quick look at the man page did not suggest anything.
> > Any ideas to what is missing?
>
> First of all I'd like to say that I'm in no way an expert but are you
> sure that you have the right stuff compiled in kernel or as modules? In
> 2.6.7 I had to select to compile MASQUERADE in the kernel, same thing
> with the mangle table if I remember correctly.

I see no reason not to compile everything you need for netfilter into the 
kernel (instead of building as modules).   That way you know all the support 
is there from bootup, nothing can be removed through forgetfulness or malice, 
and you don't have to worry about whether A depends on B, depends on C, etc..

Sure, if you want to use a new feature you didn't previously build, you need 
to recompile the kernel and do a reboot, but in most cases that should be (a) 
infrequent, and (b) pretty simple.

Regards,

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: MASQUERADE

[Wilfried]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2438 bytes --]

Thanx to both of you for these answers.

Here is my goal: install iptables 1.2.11 on Fedora Core 2.
I need new features that are not in original package.

what I don't understand is why I can't compile it on my system.

It says also having problem with /usr/include/linux/autoconf.h which is 
file from glibc_kernheaders package.
This is up to date !

Well well.
I don't know what to do ! It is not the first time that I compile 
iptables, even if my previous experiences was with 2.4 kernel.

Wilfried

On Fri, 9 Jul 2004, Antony Stone wrote:

> On Friday 09 July 2004 11:35 am, Erik Wikström wrote:
>
>> On Fri, Jul 09, 2004 at 09:19:58AM +0530, Payal Rathod wrote:
>>> Hi,
>>> Is there any different way to do MASQUERADE in kernel 2.6.3-7  with
>>> iptables v1.2.9?
>>> I get,
>>>
>>> # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>>> iptables: Invalid argument
>>>
>>> A quick look at the man page did not suggest anything.
>>> Any ideas to what is missing?
>>
>> First of all I'd like to say that I'm in no way an expert but are you
>> sure that you have the right stuff compiled in kernel or as modules? In
>> 2.6.7 I had to select to compile MASQUERADE in the kernel, same thing
>> with the mangle table if I remember correctly.
>
> I see no reason not to compile everything you need for netfilter into the
> kernel (instead of building as modules).   That way you know all the support
> is there from bootup, nothing can be removed through forgetfulness or malice,
> and you don't have to worry about whether A depends on B, depends on C, etc..
>
> Sure, if you want to use a new feature you didn't previously build, you need
> to recompile the kernel and do a reboot, but in most cases that should be (a)
> infrequent, and (b) pretty simple.
>
> Regards,
>
> Antony.
>
> --
> In Heaven, the police are British, the chefs are Italian, the beer is Belgian,
> the mechanics are German, the lovers are French, the entertainment is
> American, and everything is organised by the Swiss.
>
> In Hell, the police are German, the chefs are British, the beer is American,
> the mechanics are French, the lovers are Swiss, the entertainment is Belgian,
> and everything is organised by the Italians.
>
>                                                     Please reply to the list;
>                                                           please don't CC me.
>
>
>

Re: MASQUERADE

[Payal Rathod]

Hi,
On Fri, 9 Jul 2004 12:35:13 +0200, Erik Wikström 

> First of all I'd like to say that I'm in no way an expert but are you
> sure that you have the right stuff compiled in kernel or as modules? In
> 2.6.7 I had to select to compile MASQUERADE in the kernel, same thing
> with the mangle table if I remember correctly.

I used the default RPM package which came with the Mandrake 10.0
official distro.

-Payal

Re: MASQUERADE

[Payal Rathod]

Hi,

On Fri, 9 Jul 2004 11:51:01 +0100, Antony Stone
<antony@soft-solutions.co.uk> wrote:
 
> Sure, if you want to use a new feature you didn't previously build, you need
> to recompile the kernel and do a reboot, but in most cases that should be (a)

The issue was that iptables was not started (???). I had to do
/etc/init.d/iptables start and then it worked pretty well.

Now any ideas why?
-Payal

masquerade

[Janos Makadi]

Hi,

I`m absoulte newbie to netfilter, but last year I set up my debian 
firewall. I tought it`s configuration is correct, but yesterday I found 
http://audiymypc.com which shows my real ip address which I wanted to 
hide. It shows the correct address too, but it seems my real local 
address is visible on the internet somehow.

This is my configuration:

# Generated by iptables-save v1.2.8 on Thu Nov 27 22:19:07 2003
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Nov 27 22:19:07 2003
# Generated by iptables-save v1.2.8 on Thu Nov 27 22:19:07 2003
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:block - [0:0]
[0:0] -A INPUT -j block
[0:0] -A FORWARD -j block
[0:0] -A block -i eth1 -p TCP -m state --state NEW -j ULOG 
--ulog-nlgroup 1 --ulog-prefix "Dropped TCP packet:"
[0:0] -A block -i eth1 -p ICMP -m state --state NEW,RELATED -j ULOG 
--ulog-nlgroup 1 --ulog-prefix "Dropped ICMP packet:"
[0:0] -A block -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A block -i ! eth1 -m state --state NEW -j ACCEPT
[0:0] -A block -j DROP
COMMIT
# Completed on Thu Nov 27 22:19:07 2003


What did I wrong?

THX

kernel is vanilla 2.4.25-rc2
iptables is 1.2.9

Re: masquerade

[Jason Opperisano]

On Wed, 2004-10-13 at 12:41, Janos Makadi wrote:
> Hi,
> 
> I`m absoulte newbie to netfilter, but last year I set up my debian 
> firewall. I tought it`s configuration is correct, but yesterday I found 
> http://audiymypc.com which shows my real ip address which I wanted to 
> hide. It shows the correct address too, but it seems my real local 
> address is visible on the internet somehow.

disable java in your web browser and re-run the test--they won't be able
to find your real IP address anymore.  they're probably either using
this code directly, or a similar technique:

  http://reglos.de/myaddress/MyAddress.html

none of this has anything to do with the configuration of your firewall.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: masquerade

[Makadi Janos]

Jason Opperisano wrote:
> disable java in your web browser and re-run the test--they won't be able
> to find your real IP address anymore.  they're probably either using
> this code directly, or a similar technique:

Thank you for your answer. What you suggest is working. I have to check 
my browser settings more carefully.

THX

Janos Makadi

RE: masquerade

[Hudson Delbert J Contr 61 CS/SCBN]

I'd suggest that Jason is 'spot-on' as far as the java is concerned.
i learned several years ago that some developers sometimes (hopefully not
anymore)
build modules in the dark as regards how networks work.

i know of one particulary nasty application (in terms of proxy / fwalls), 
5280/3780 emulator that called an applet that would stuff the workstation ip
address
in the DATA payload of packets before it would even leave the application.

this obviously would have been hidden from the proxy as the packet would
always
get passed to the distant end where java would un-encaps that packet and use
the IP Address
loaded into the data portion of the packet and try to 'catch a ride' back to
the client
using that address in the header. the proxy would block the packet as it
would not get a match
in the connection table thus would get dropped by fwtk. the fallout of
course being retans and timeouts
and customers blaming everyong but the guys who wrote the application.

~piranha

 

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Jason
Opperisano
Sent: Thursday, October 14, 2004 5:36 AM
To: netfilter@lists.netfilter.org
Subject: Re: masquerade


On Wed, 2004-10-13 at 12:41, Janos Makadi wrote:
> Hi,
> 
> I`m absoulte newbie to netfilter, but last year I set up my debian 
> firewall. I tought it`s configuration is correct, but yesterday I found 
> http://audiymypc.com which shows my real ip address which I wanted to 
> hide. It shows the correct address too, but it seems my real local 
> address is visible on the internet somehow.

disable java in your web browser and re-run the test--they won't be able
to find your real IP address anymore.  they're probably either using
this code directly, or a similar technique:

  http://reglos.de/myaddress/MyAddress.html

none of this has anything to do with the configuration of your firewall.

-j

-- 
Jason Opperisano <opie@817west.com>

masquerade

[Serguei Bezverkhi (sbezverk)]

Hello,

I was addressing kubernetes hairpin case when a container connects to itself via exposed service.

Example pod with ip 1.1.1.1 listening on port tcp 8080 and exposed via   service 2.2.2.2:8080, if curl is run from inside the pod, like curl http://2.2.2.2:8080 then the packet would be first dnat to 1.1.1.1:8080 and then its source needs to be masqueraded. In iptables implementation it seems it is automatically masqueraded to host's IP whereas in nftables (all rules are equivalent) source gets masqueraded into POD's interface.

I would appreciate if somebody could confirm this behavior and different in masquerading between iptables and nftables for containers.

Thank you
Serguei

Re: masquerade

[Florian Westphal]

Serguei Bezverkhi (sbezverk) <sbezverk@cisco.com> wrote:
> Hello,
> 
> I was addressing kubernetes hairpin case when a container connects to itself via exposed service.
> 
> Example pod with ip 1.1.1.1 listening on port tcp 8080 and exposed via   service 2.2.2.2:8080, if curl is run from inside the pod, like curl http://2.2.2.2:8080 then the packet would be first dnat to 1.1.1.1:8080 and then its source needs to be masqueraded. In iptables implementation it seems it is automatically masqueraded to host's IP whereas in nftables (all rules are equivalent) source gets masqueraded into POD's interface.
> 
> I would appreciate if somebody could confirm this behavior and different in masquerading between iptables and nftables for containers.

They have same behaviour.  MASQUERADE target (xtables) and nft
masquerade are frontends for the same code.
The address masqueraded to is the primary address of the outgoing interface.

nftables masquerade code:

static void nft_masq_ipv4_eval(const struct nft_expr *expr,
                               struct nft_regs *regs,
                               const struct nft_pktinfo *pkt)
{
        struct nft_masq *priv = nft_expr_priv(expr);
        struct nf_nat_range2 range;

        memset(&range, 0, sizeof(range));
        range.flags = priv->flags;
        if (priv->sreg_proto_min) {
                range.min_proto.all = (__force __be16)nft_reg_load16(
                        &regs->data[priv->sreg_proto_min]);
                range.max_proto.all = (__force __be16)nft_reg_load16(
                        &regs->data[priv->sreg_proto_max]);
        }
        regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, nft_hook(pkt),
                                                    &range, nft_out(pkt));
}

... and xtables one:
static unsigned int
masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
        struct nf_nat_range2 range;
        const struct nf_nat_ipv4_multi_range_compat *mr;

        mr = par->targinfo;
        range.flags = mr->range[0].flags;
        range.min_proto = mr->range[0].min;
        range.max_proto = mr->range[0].max;

        return nf_nat_masquerade_ipv4(skb, xt_hooknum(par), &range,
                                      xt_out(par));
}

As you can see, both use same function, except nft feeds the arguments
from nftables registers and x_tables uses the targets arguments from
iptables command line.