Re: FW: CONNMARK and ip rule fwmark

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: FW: CONNMARK and ip rule fwmark
Date: Tue, 01 Apr 2008 01:27:28 -0500	[thread overview]
Message-ID: <47F1D5D0.4060406@riverviewtech.net> (raw)
In-Reply-To: <6F83141C27C94F17A967258DC5CC1A1A@shs1>

On 3/31/2008 2:07 AM, Steffen Heil wrote:
> Can you think of any reason SYN ACK packets are not seen at ANY
> tables in my case?  I see the syn packet and I know the service is
> running at that port!

What are the following files set to on your system?

/proc/sys/net/ipv4/conf/*/rp_filter
/proc/sys/net/ipv4/ip_forward
/proc/sys/net/ipv4/conf/*/log_martians

The more I think about what you are seeing, packets come in to your 
system but not make it to IPTables, the more I think that reverse path 
filter is on (set to 1) and filtering out the packets that you are 
trying to work with.

Consider the configuration below:

            +---+
            | C |
            +-+-+
              :
              :
+---+                 +---+
|   +- -     x     - -+   |
+-+-+                 +-+-+
   a                     b
   D                     D
   |                     |
   e                     e
   A                     B
+-+-+                 +-+-+
| A +-oA-(OpenVPN)-oB-+ B |
+---+                 +---+

When client C connects to eB, which is port forwarded to oA, A will see 
the traffic as being from C to oA.  A would route traffic to C out via 
eA, not oA.  If Reverse Path Filtering (a.k.a. RPF) (rp_filter) is 
turned on (set to 1) then the kernel on A will drop the traffic as it is 
coming in to the system as a martian.  If RPF is not turned on (set to 
0) then the kernel will route the packets with out any regard to the 
source / destination IP address.

I'd suggest that you enable logging of martians (set log_martians to 1) 
and check the syslog for reports of martians / dropped packets.

Grant. . . .

     prev parent reply	other threads:[~2008-04-01  6:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-03-31 19:50 FW: CONNMARK and ip rule fwmark Steffen Heil
2008-04-01  6:27 ` Grant Taylor [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=47F1D5D0.4060406@riverviewtech.net \
    --to=gtaylor@riverviewtech.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.