From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Roman Fiedler <roman.fiedler@telbiomed.at>
Cc: netfilter@vger.kernel.org
Subject: Re: [nf-failover] conntrack questions
Date: Tue, 11 Mar 2008 12:48:27 +0100 [thread overview]
Message-ID: <47D6718B.8000905@netfilter.org> (raw)
In-Reply-To: <47BED5AF.3020006@telbiomed.at>
Roman Fiedler wrote:
> Hello Everyone,
>
> I have some problems using the conntrack application, it could be that I'm just
> conntrack options the wrong way or that my assumptions about conntracking itself
> are wrong.
>
> Testcase:
>
> * Two networks 10.0.0.0/24 and 10.0.1.0/24 separated by firewall
> * iptables firewall drops all tcp-SYN net A to B and writes log file entry
> * some DROPS are interesting, so I grep info about them from logfile
> (src,dest,ports)
> * with conntrack tool I want to create an conntrack table entry so that the
> connection is accepted and the following SYN is SNATed/DNATed to a given IP
> (currently also in net A but that could be changed)
>
> Is this possible? My iptables setup should accept all RELATED,ESTABLISHED
> packets by default and the conntrack entry should set the natting for this
> single connection and make it ACCEPTED.
>
> Currently when I use to add the connection (for testing src port is fixed to
> 1234 and dest 25, test host is 138, forbidden target 1.10, reroute host 0.77)
>
> conntrack -I conntrack -p tcp --orig-src 10.0.0.138 --orig-dst 10.0.1.10
> --reply-src 10.0.0.77 --reply-dst 10.0.0.1 --orig-port-src 1234 --orig-port-dst
> 25 --reply-port-src 25 --reply-port-dst 1234 --state SYN_SENT -u ASSURED -t 10
> --src-nat 10.0.0.1 --dst-nat 10.0.0.77
>
> With this rule the rule hit counter is incremented when sending a SYN, but ulogd
> still reports a DROP
>
> tcp 6 117 SYN_SENT src=10.0.0.138 dst=10.0.1.10 sport=1234 dport=25
> packets=1 bytes=60 [UNREPLIED] src=10.0.0.77 dst=10.0.0.1 sport=25 dport=1234
> packets=0 bytes=0 [ASSURED] mark=0 use=1
>
> ulog output:
> Feb 22 12:39:17 firewall-grz-0 Shorewall:FORWARD:DROP: IN=eth0 OUT=eth1 MAC=00
> SRC=10.0.0.138 DST=10.0.1.10 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=61556 CE DF
> PROTO=TCP SPT=1234 DPT=25 SEQ=2694492256 ACK=0 WINDOW=5840 SYN URGP=0
>
> When using LISTEN instead of SYN_SENT, the packets/bytes counter does not go up,
> but also no drop is reported and packet does not leave via any interface.
>
> Can someone give me a hint where I am wrong?
Sorry, to be honest, I don't understand what you're doing. Please,
elaborate a bit more.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
next parent reply other threads:[~2008-03-11 11:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <47BED5AF.3020006@telbiomed.at>
2008-03-11 11:48 ` Pablo Neira Ayuso [this message]
2008-03-11 14:57 ` [nf-failover] conntrack questions Roman Fiedler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47D6718B.8000905@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=roman.fiedler@telbiomed.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.