2.4.23 masquerading broken?

[Wilmer van der Gaast <lintux@lintux.cx>]

[-- Attachment #1.1: Type: text/plain, Size: 1052 bytes --]

For security reasons, I upgraded to 2.4.23 last night. Now, suddenly, IP
masquerading seems to be broken. When I use SNAT instead of
masquerading, everything works.

Unfortunately, I think it's hard to reproduce the problem. Right after
booting .23 for the first time, everything seemed to be okay. The
problems started just an hour ago, after having the server running for
fifteen hours without any problems.

Unfortunately there's not much more information I can provide. I can
attach my iptables/rule/route file and keep my machine running in case
anyone needs/wants more information. For now I'll just stick with SNAT.
It works good enough for me.

Just FYI, and maybe someone else will have a similar problem.

Wilmer v/d Gaast. (not on the list)

-- 
+-------- .''`.     - -- ---+  +        - -- --- ---- ----- ------+
| lintux : :'  :  lintux.cx |  | OSS Programmer   www.bitlbee.org |
|   at   `. `~'  debian.org |  | www.algoritme.nl   www.lintux.cx |
+--- -- -  ` ---------------+  +------ ----- ---- --- -- -        +

[-- Attachment #1.2: S19router --]
[-- Type: text/plain, Size: 3561 bytes --]

#!/bin/sh

if [ "$1" != "start" ]; then
	exit;
fi

if ! ifconfig hensema > /dev/null 2> /dev/null; then sleep 1; fi

catnet="130.89.203.37"
utwente="utwente"
hensema="hensema"

echo -n 'Setting up routes and iptables... '

## Without this Linux will reject packets from outside the network
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter

iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F

iptables -A INPUT -i wlan0 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -i wlan0 -p tcp --dport tinc -j ACCEPT
iptables -A INPUT -i wlan0 -p udp --dport tinc -j ACCEPT
iptables -A INPUT -i wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i wlan0 -p icmp -j ACCEPT
iptables -A INPUT -i wlan0 -j REJECT

iptables -A INPUT -i eth1 -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport smtp -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport domain -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport domain -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport www -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport imap2 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport imap3 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport imaps -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
iptables -A INPUT -i eth1 -j REJECT

iptables -A FORWARD -i wlan0 -j REJECT --reject-with icmp-host-unreachable
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $catnet

ip route flush table utwente
ip route flush table hensema

## This is a quick hack to flush the rule table. It's not yet perfect.
ip rule list | \
cut -d '	' -f2 | \
sed s/all/0\\/0/g | \
while read LINE; do
	ip rule del $LINE;
done

ip rule add prio 10 to 192.168.0.0/16 table main
ip rule add prio 12 iif hensema table $utwente ## For the ssh->hensema portfw
ip rule add prio 15 from $catnet table $utwente
ip rule add prio 15 from 192.168.7.2 table $hensema
ip rule add prio 20 to 130.89.0.0/16 table $utwente
ip rule add prio 20 to 212.120.64.0/18 table $hensema
ip rule add prio 40 from 192.168.9.11 table $hensema
ip rule add prio 40 from 192.168.9.13 table $hensema
#ip rule add prio 40 from 192.168.9.14 table $hensema
#ip rule add prio 40 from 192.168.9.17 table $hensema
ip rule add prio 55 from 192.168.9.0/24 table $utwente
ip rule add prio 60 table main

ip route flush cache

ip route add table hensema 192.168.7.0/24 dev hensema
ip route add table hensema default via 192.168.7.1 dev hensema
ip route add table utwente 130.89.192.0/20 dev eth1
ip route add table utwente default via 130.89.192.1 dev eth1

ip route add 192.168.1.0/24 via 192.168.7.1 dev hensema

## Add default routes as fallbacks. The second route seems to be
## necessary to be able to bind() to eth1 and have things work.
while ip route del default; do :; done
ip route add table main default via 192.168.7.1 dev hensema metric 0
ip route add table main default via 130.89.192.1 dev eth1 metric 1

ip route flush cache

## Port forward stuff
iptables -t nat -A PREROUTING -p tcp -d $catnet --dport 2222 -j DNAT --to 192.168.1.1:22
iptables -t nat -A PREROUTING -p tcp -d $catnet --dport 2121 -j DNAT --to 192.168.9.15:21
#iptables -t nat -A PREROUTING -p tcp -d $catnet --dport  222 -j DNAT --to 192.168.9.14:22
#iptables -t nat -s \! 192.168.9.0/24 -A POSTROUTING -o hensema -j MASQUERADE
iptables -t nat -s \! 192.168.9.0/24 -A POSTROUTING -o hensema -j SNAT --to-source 192.168.7.2

echo 'OK'

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]