Failed to establish TCP connection when Masqueradeing

All of lore.kernel.org
 help / color / mirror / Atom feed

* Failed to establish TCP connection when Masqueradeing
@ 2007-04-20 14:45 Simon Olofsson
  2007-04-20 18:50 ` Pascal Hambourg
  0 siblings, 1 reply; 2+ messages in thread
From: Simon Olofsson @ 2007-04-20 14:45 UTC (permalink / raw)
  To: netfilter

Hi,
I have a problem with my configuration that I need some help with.

The host I am using have two interfaces, one ethernet interface and
one ppp interface.

I would like all traffic to use the ethernet interface except traffic
from a specific user. I would like the traffic from this specific user
to use the ppp interface.

When I try to establish a TCP connection from the specified user I see
that the syn packet is sent out on the correct interface with the
correct source address and the syn,ack is received, but it seems like
the syn,ack is lost somewhere on my host because a new syn is sent
after a while.

What is missing?
/Simon


My configuration:

# Add  rule that marked traffic shall used the table
ip rule add prio 200 fwmark 1 table 1

# Add default route to a new routing table.
ip route add default dev ppp0 tab 1

# Add NAT to ppp interface
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Specify which packets should use the table specified above.
iptables -t mangle -A OUTPUT -m owner --uid-owner tcg -j MARK --set-mark 1

NAT table:
Chain PREROUTING (policy ACCEPT 148 packets, 7512 bytes)
pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 113 packets, 11828 bytes)
pkts bytes target     prot opt in     out     source
destination
    0     0 MASQUERADE  all  --  *      ppp0    0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 164 packets, 14983 bytes)
pkts bytes target     prot opt in     out     source
destination



MANGLE table
Chain PREROUTING (policy ACCEPT 217K packets, 61M bytes)
pkts bytes target     prot opt in     out     source
destination

Chain INPUT (policy ACCEPT 223K packets, 61M bytes)
pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 281K packets, 38M bytes)
pkts bytes target     prot opt in     out     source
destination
    0     0 MARK       all  --  *      *       0.0.0.0/0
0.0.0.0/0           OWNER UID match 1000 MARK set 0x1

Chain POSTROUTING (policy ACCEPT 281K packets, 38M bytes)
pkts bytes target     prot opt in     out     source
destination

ifconfig:
eth0      Link encap:Ethernet  HWaddr 00:40:63:E8:11:6A
          inet addr:192.168.115.4  Bcast:192.168.115.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:233357 errors:0 dropped:0 overruns:0 frame:0
          TX packets:269612 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:64151807 (61.1 Mb)  TX bytes:40208375 (38.3 Mb)
          Interrupt:16 Base address:0xe000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:23 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1468 (1.4 Kb)  TX bytes:1468 (1.4 Kb)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:10.145.56.112  P-t-P:10.0.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:9 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:84 (84.0 b)  TX bytes:96 (96.0 b)


ip rule show:
0: from all lookup local
200: from all fwmark 0x1 lookup 1
32766: from all lookup main
32767: from all lookup default


route:
10.0.0.2 dev ppp0  proto kernel  scope link  src 10.145.56.112
192.168.115.0/24 dev eth0  proto kernel  scope link  src 192.168.115.4
default via 192.168.115.1 dev eth0


ip route show table 1:
default dev ppp0  scope link


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Failed to establish TCP connection when Masqueradeing
  2007-04-20 14:45 Failed to establish TCP connection when Masqueradeing Simon Olofsson
@ 2007-04-20 18:50 ` Pascal Hambourg
  0 siblings, 0 replies; 2+ messages in thread
From: Pascal Hambourg @ 2007-04-20 18:50 UTC (permalink / raw)
  To: netfilter

Hello,

Simon Olofsson a écrit :
> 
> I would like all traffic to use the ethernet interface except traffic
> from a specific user. I would like the traffic from this specific user
> to use the ppp interface.
> 
> When I try to establish a TCP connection from the specified user I see
> that the syn packet is sent out on the correct interface with the
> correct source address and the syn,ack is received, but it seems like
> the syn,ack is lost somewhere on my host because a new syn is sent
> after a while.
> 
> What is missing?

Check that source validation by reversed path is disabled at least for 
the PPP interface (/proc/sys/net/ipv4/conf/ppp0/rp_filter=0 or 
/proc/sys/net/ipv4/conf/all/rp_filter=0).


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2007-04-20 18:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-20 14:45 Failed to establish TCP connection when Masqueradeing Simon Olofsson
2007-04-20 18:50 ` Pascal Hambourg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.