conntrack -L shows an entry, conntrack -G doesn't

conntrack -L shows an entry, conntrack -G doesn't

[synapse]

Hello

I have a machine which redirects all connections going out to any tcp 22
port to
localhost tcp port 12345.

My little daemon that listens on port 12345 gives me this info:

    Connection accepted peer ip: 192.168.13.12, peer port: 49939, host ip:
192.168.13.12, host port:12345

cat /proc/net/conntrack
Shows the connection, and also does conntrack -L. However the same command
with -G
returns with an error:

root@test:~# conntrack -L -s 192.168.13.12 -q 192.168.13.12 -p tcp
--orig-port-src
49939 --reply-port-src 12345
    tcp      6 431950 ESTABLISHED src=192.168.13.12 dst=217.20.131.2
sport=49939
dport=22 packets=2 bytes=112 src=127.0.0.1
    dst=192.168.13.12     sport=12345 dport=49939 packets=1 bytes=60
[ASSURED]
mark=0 use=1

root@test:~# conntrack -G -s 192.168.13.12 -q 192.168.13.12 -p tcp
--orig-port-src
49939 --reply-port-src 12345
    Operation failed: such conntrack doesn't exist

The redirection is done as:

    iptables -t nat -F
    iptables -t nat -X
    iptables -t nat -Z

    iptables -t nat -A OUTPUT -p tcp --destination-port 22 -j REDIRECT
--to-ports 1234

I am using the latest ubuntu btw (upgraded fully), with versions:
    conntrack                           1.00~beta2-1
    libnetfilter-conntrack-dev          0.0.81-1
    libnetfilter-conntrack1             0.0.81-1

Basically I am clueless here as to why -L shows the connection and -G
doesn't. My
goal is to
transparently proxy outgoing connections through my program. Therefore I
need to detect
what its' original destination would be from the information seen by the
program on
12345.

My questions:
 - Is that even possible? Please say yes :)
 - Am I doing something wrong?
 - Is it a bug?

I'm contacting you, since user "jengelh" on the #netfilter channel
(freenode) told
me that
this is probably a bug.

Thanks in advance:

Kalman Gergely

Re: conntrack -L shows an entry, conntrack -G doesn't

[Pablo Neira Ayuso]

synapse@hippy.csoma.elte.hu wrote:
> root@test:~# conntrack -L -s 192.168.13.12 -q 192.168.13.12 -p tcp
> --orig-port-src
> 49939 --reply-port-src 12345
>     tcp      6 431950 ESTABLISHED src=192.168.13.12 dst=217.20.131.2
> sport=49939
> dport=22 packets=2 bytes=112 src=127.0.0.1
>     dst=192.168.13.12     sport=12345 dport=49939 packets=1 bytes=60
> [ASSURED]
> mark=0 use=1
> 
> root@test:~# conntrack -G -s 192.168.13.12 -q 192.168.13.12 -p tcp
> --orig-port-src
> 49939 --reply-port-src 12345
>     Operation failed: such conntrack doesn't exist

My git snapshot fails as there are missing parameters:
conntrack v0.9.7: missing IP address
Try `conntrack -h' or 'conntrack --help' for more information.

> The redirection is done as:
> 
>     iptables -t nat -F
>     iptables -t nat -X
>     iptables -t nat -Z
> 
>     iptables -t nat -A OUTPUT -p tcp --destination-port 22 -j REDIRECT
> --to-ports 1234
> 
> I am using the latest ubuntu btw (upgraded fully), with versions:
>     conntrack                           1.00~beta2-1

This version is very old. The conntrack package was superseded by the
conntrack-tools. Please, check http://conntrack-tools.netfilter.org to
get the latest.

> Basically I am clueless here as to why -L shows the connection and -G
> doesn't. My goal is to
> transparently proxy outgoing connections through my program. Therefore I
> need to detect
> what its' original destination would be from the information seen by the
> program on
> 12345.

As for now, the -G command requires the tuple {source, destination,
source port, destination port, protocol}.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers