* RAWNAT problem
@ 2008-09-11 13:24 Manu
2008-09-11 14:02 ` Jan Engelhardt
0 siblings, 1 reply; 6+ messages in thread
From: Manu @ 2008-09-11 13:24 UTC (permalink / raw)
To: Jan Engelhardt, Netfilter Developer Mailing List
Hi,
Jan, thank you for fixing the RAWNAT targets in xtables-addons!!! It
works very well, without any crashes!
For my issue ( I want to exchange the source address for incoming
pakets, and to exchange the destination address for outgoing pakets) I
modified the xt_RAWNAT.c like that:
function: static unsigned int rawsnat_tg4
...
// na = remask(iph->saddr, info->addr.ip, info->mask);
na = info->addr.ip;
...
and function: static unsigned int rawdnat_tg4
...
// new_addr = remask(iph->daddr, info->addr.ip, info->mask);
new_addr = info->addr.ip;
...
I have connected 2 PC's:
PC1 (acts as a gateway ):
LAN1 connected to internet router; IP: eth0=192.168.0.176
LAN2 connected to PC2; IP: eth1=10.0.0.1, eth1:2=10.0.12.1,....
PC2
FIX-IP: eth0=192.168.150.111; gw=192.168.150.1
rules in PC1:
iptables:
iptables -t raw -I PREROUTING -i eth1 -s 192.168.150.111 -j RAWSNAT
--to-source 10.0.12.2
and
iptables -t rawpost -I POSTROUTING -o eth1 -d 10.0.12.2 -j RAWDNAT
--to-destination 192.168.150.111
# arptables -nvL
Chain INPUT (policy ACCEPT 3691 packets, 103K bytes)
-j DROP -i * -o * -s 0.0.0.0 -d 10.0.12.2 --h-length 6 --opcode 1 ,
pcnt=0 -- bcnt=0
-j mangle -i eth1 -o * -s 192.168.150.111 --mangle-ip-s 10.0.12.2
--mangle-ip-d 10.0.12.1 , pcnt=648 -- bcnt=18144
Chain OUTPUT (policy ACCEPT 7363 packets, 206K bytes)
-j mangle -i * -o eth1 -d 10.0.12.2 --mangle-ip-s 10.0.0.1 --mangle-ip-d
192.168.150.111 , pcnt=88 -- bcnt=2464
Setted the rules like that, I can succesfully ping from one PC to the
other - from PC2: ping 10.0.12.1 or from PC1: ping 10.0.12.2!
<4>TRACE: raw:PREROUTING:rule:2 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=192.168.150.111
DST=10.0.12.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=60868 DF PROTO=ICMP
TYPE=0 CODE=0 ID=54363 SEQ=1
<4>TRACE: raw:PREROUTING:rule:3 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=192.168.150.111
DST=10.0.12.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=60868 DF PROTO=ICMP
TYPE=0 CODE=0 ID=54363 SEQ=1
<4>TRACE: raw:PREROUTING:policy:4 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=10.0.12.2
DST=10.0.12.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=60868 DF PROTO=ICMP
TYPE=0 CODE=0 ID=54363 SEQ=1
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=10.0.12.2
DST=10.0.12.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=60868 DF PROTO=ICMP
TYPE=0 CODE=0 ID=54363 SEQ=1
<4>TRACE: mangle:INPUT:policy:1 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=10.0.12.2
DST=10.0.12.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=60868 DF PROTO=ICMP
TYPE=0 CODE=0 ID=54363 SEQ=1
<4>TRACE: filter:INPUT:rule:2 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=10.0.12.2
DST=10.0.12.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=60868 DF PROTO=ICMP
TYPE=0 CODE=0 ID=54363 SEQ=1
Ping works fine, but if I open a browser, I didn't get the web-page
displayed. In my iptables nat rules I set a rule to redirect requests
for port 53 to local process! But these requests went into FORWARD chain
of mangle table?! Is there a problem with connection tracking?!
<4>TRACE: raw:PREROUTING:rule:2 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=192.168.150.111
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=19126 PROTO=UDP
SPT=2012 DPT=53 LEN=38
<4>TRACE: raw:PREROUTING:policy:4 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=10.0.12.2
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=19126 PROTO=UDP
SPT=2012 DPT=53 LEN=38
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=10.0.12.2
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=19126 PROTO=UDP
SPT=2012 DPT=53 LEN=38
<4>TRACE: mangle:FORWARD:policy:1 IN=eth1 OUT=eth0 SRC=10.0.12.2
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=127 ID=19126 PROTO=UDP
SPT=2012 DPT=53 LEN=38
<4>TRACE: filter:FORWARD:rule:3 IN=eth1 OUT=eth0 SRC=10.0.12.2
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=127 ID=19126 PROTO=UDP
SPT=2012 DPT=53 LEN=38
my other iptables-rules:
# iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 35980 packets, 2728K bytes)
pkts bytes target prot opt in out source
destination
285 22307 TRACE all -- eth2 * 0.0.0.0/0
0.0.0.0/0
293 23053 RAWSNAT all -- eth2 * 192.168.150.111
0.0.0.0/0 to-source 10.0.12.2/32
Chain OUTPUT (policy ACCEPT 45319 packets, 9536K bytes)
pkts bytes target prot opt in out source
destination
# iptables -nvL -t rawpost
Chain POSTROUTING (policy ACCEPT 45356 packets, 9540K bytes)
pkts bytes target prot opt in out source
destination
140 11760 RAWDNAT all -- * eth2 0.0.0.0/0
10.0.12.2 to-destination 192.168.150.111/32
# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 34447 packets, 2595K bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 33860 packets, 2551K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 524 packets, 35017 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 44144 packets, 9426K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 44135 packets, 9425K bytes)
pkts bytes target prot opt in out source
destination
# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 9199 packets, 846K bytes)
pkts bytes target prot opt in out source
destination
0 0 REDIRECT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 REDIRECT udp -- eth1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 REDIRECT tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 11111
Chain POSTROUTING (policy ACCEPT 4756 packets, 369K bytes)
pkts bytes target prot opt in out source
destination
1073 87213 SNAT all -- * eth0 0.0.0.0/0
0.0.0.0/0 to:192.168.0.176
Chain OUTPUT (policy ACCEPT 5829 packets, 456K bytes)
pkts bytes target prot opt in out source
destination
and without the rules for RAWNAT - I get following:
<4>TRACE: raw:PREROUTING:policy:3 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=192.168.150.111
DST=192.168.150.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=20296 PROTO=UDP
SPT=2012 DPT=53 LEN=50
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=192.168.150.111
DST=192.168.150.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=20296 PROTO=UDP
SPT=2012 DPT=53 LEN=50
<4>TRACE: mangle:INPUT:policy:1 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=192.168.150.111
DST=10.0.0.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=20296 PROTO=UDP
SPT=2012 DPT=53 LEN=50
<4>TRACE: filter:INPUT:rule:6 IN=eth1 OUT=
MAC=00:30:18:49:b2:2f:00:40:f4:82:df:94:08:00 SRC=192.168.150.111
DST=10.0.0.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=20296 PROTO=UDP
SPT=2012 DPT=53 LEN=50
Hope somebody can help.
cheers
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: RAWNAT problem
2008-09-11 13:24 RAWNAT problem Manu
@ 2008-09-11 14:02 ` Jan Engelhardt
2008-09-15 16:02 ` Manu
0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2008-09-11 14:02 UTC (permalink / raw)
To: Manu; +Cc: Netfilter Developer Mailing List
On Thursday 2008-09-11 09:24, Manu wrote:
>
> Jan, thank you for fixing the RAWNAT targets in xtables-addons!!! It works very
> well, without any crashes!
Not that I remember having made any significant changes
other than rebasing, but thanks ;-)
> For my issue ( I want to exchange the source address for incoming pakets, and
> to exchange the destination address for outgoing pakets) I modified the
> xt_RAWNAT.c like that:
>
> function: static unsigned int rawsnat_tg4
> ...
> // na = remask(iph->saddr, info->addr.ip, info->mask);
> na = info->addr.ip;
> ...
Ok I fixed a slight calculation error in remask() that should
make this unnecessary now.
>rules in PC1:
>iptables:
>iptables -t raw -I PREROUTING -i eth1 -s 192.168.150.111 -j RAWSNAT --to-source 10.0.12.2
>and
>iptables -t rawpost -I POSTROUTING -o eth1 -d 10.0.12.2 -j RAWDNAT --to-destination 192.168.150.111
>
> Ping works fine, but if I open a browser, I didn't get the web-page displayed.
> In my iptables nat rules I set a rule to redirect requests for port 53 to local
> process! But these requests went into FORWARD chain of mangle table?! Is there
> a problem with connection tracking?!
You also need a rule in the OUTPUT chain of the raw table
if you are initiating connections from the machine itself.
libxt_RAWSNAT.man has been updated with this info.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: RAWNAT problem
2008-09-11 14:02 ` Jan Engelhardt
@ 2008-09-15 16:02 ` Manu
2008-09-15 17:59 ` Jan Engelhardt
0 siblings, 1 reply; 6+ messages in thread
From: Manu @ 2008-09-15 16:02 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt schrieb:
>> rules in PC1:
>> iptables:
>> iptables -t raw -I PREROUTING -i eth1 -s 192.168.150.111 -j RAWSNAT --to-source 10.0.12.2
>> and
>> iptables -t rawpost -I POSTROUTING -o eth1 -d 10.0.12.2 -j RAWDNAT --to-destination 192.168.150.111
>>
>> Ping works fine, but if I open a browser, I didn't get the web-page displayed.
>> In my iptables nat rules I set a rule to redirect requests for port 53 to local
>> process! But these requests went into FORWARD chain of mangle table?! Is there
>> a problem with connection tracking?!
>>
>
> You also need a rule in the OUTPUT chain of the raw table
> if you are initiating connections from the machine itself.
> libxt_RAWSNAT.man has been updated with this info
This doesn't solve my problem. I'm not entering the OUTPUT chain at all
(with the destination port 53)!
If I set the following iptables-rules:
# iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 26290 packets, 8421K bytes)
pkts bytes target prot opt in out source
destination
18663 1129K TRACE all -- * * 0.0.0.0/0
0.0.0.0/0
524 43031 RAWSNAT all -- eth2 * 192.168.150.111
0.0.0.0/0 to-source 10.0.17.2/32
Chain OUTPUT (policy ACCEPT 31998 packets, 14M bytes)
pkts bytes target prot opt in out source
destination
0 0 RAWDNAT udp -- * eth2 0.0.0.0/0
10.0.17.2 udp dpt:53 to-destination 192.168.150.111/32
27029 14M TRACE all -- * * 0.0.0.0/0
0.0.0.0/0
I get this result:
<4>TRACE: raw:PREROUTING:rule:2 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=192.168.150.111
DST=192.168.150.1 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=5101 PROTO=UDP
SPT=1026 DPT=53 LEN=69
<4>TRACE: raw:PREROUTING:policy:3 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=192.168.150.1 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=5101 PROTO=UDP
SPT=1026 DPT=53 LEN=69
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=192.168.150.1 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=5101 PROTO=UDP
SPT=1026 DPT=53 LEN=69
<4>TRACE: mangle:FORWARD:policy:1 IN=eth2 OUT=eth0 SRC=10.0.17.2
DST=192.168.150.1 LEN=89 TOS=0x00 PREC=0x00 TTL=254 ID=5101 PROTO=UDP
SPT=1026 DPT=53 LEN=69
<4>TRACE: filter:FORWARD:rule:3 IN=eth2 OUT=eth0 SRC=10.0.17.2
DST=192.168.150.1 LEN=89 TOS=0x00 PREC=0x00 TTL=254 ID=5101 PROTO=UDP
SPT=1026 DPT=53 LEN=69
I would like to achieve the request goes into INPUT chain. (like if I'm
doing the ping command)
With an additional rule:
# iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 18821 packets, 7969K bytes)
pkts bytes target prot opt in out source
destination
11194 677K TRACE all -- * * 0.0.0.0/0
0.0.0.0/0
353 28929 RAWSNAT all -- eth2 * 192.168.150.111
0.0.0.0/0 to-source 10.0.17.2/32
3 204 RAWDNAT all -- eth2 * 10.0.17.2
0.0.0.0/0 to-destination 10.0.17.1/32
Chain OUTPUT (policy ACCEPT 21579 packets, 6930K bytes)
pkts bytes target prot opt in out source
destination
0 0 RAWDNAT udp -- * eth2 0.0.0.0/0
10.0.17.2 udp dpt:53 to-destination 192.168.150.111/32
16610 6550K TRACE all -- * * 0.0.0.0/0
0.0.0.0/0
I'm getting this result. If I'm doing the RAWDNAT operation in
PREROUTING the pakets losts the destination-port ?!?! Or how do I have
to read that!
<4>TRACE: raw:PREROUTING:rule:2 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=192.168.150.111
DST=192.168.150.1 LEN=59 TOS=0x00 PREC=0x00 TTL=128 ID=5833 PROTO=UDP
SPT=61014 DPT=53 LEN=39
<4>TRACE: raw:PREROUTING:rule:3 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=192.168.150.1 LEN=59 TOS=0x00 PREC=0x00 TTL=128 ID=5833 PROTO=UDP
SPT=61014 DPT=53 LEN=39
<4>TRACE: raw:PREROUTING:policy:4 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=59 TOS=0x00 PREC=0x00 TTL=128 ID=5833 CE FRAG:7000
PROTO=UDP
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=59 TOS=0x00 PREC=0x00 TTL=128 ID=5833 CE FRAG:7000
PROTO=UDP
I'm feeling there is not much more to solve. A little bit help would be
so greatly appreciated!
Thx & cheers
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: RAWNAT problem
2008-09-15 16:02 ` Manu
@ 2008-09-15 17:59 ` Jan Engelhardt
2008-09-16 13:55 ` Manu
2008-09-16 15:05 ` Manu
0 siblings, 2 replies; 6+ messages in thread
From: Jan Engelhardt @ 2008-09-15 17:59 UTC (permalink / raw)
To: Manu; +Cc: Netfilter Developer Mailing List
On Monday 2008-09-15 12:02, Manu wrote:
>
> With an additional rule [at PREROUTING 3]:
> # iptables -nvL -t raw
> Chain PREROUTING (policy ACCEPT 18821 packets, 7969K bytes)
> pkts bytes target prot opt in out source destination
> 11194 677K TRACE all -- * * 0.0.0.0/0 0.0.0.0/0
> 353 28929 RAWSNAT all -- eth2 * 192.168.150.111 0.0.0.0/0 to-source 10.0.17.2/32
> 3 204 RAWDNAT all -- eth2 * 10.0.17.2 0.0.0.0/0 to-destination 10.0.17.1/32
>
> Chain OUTPUT (policy ACCEPT 21579 packets, 6930K bytes)
> pkts bytes target prot opt in out source destination
> 0 0 RAWDNAT udp -- * eth2 0.0.0.0/0 10.0.17.2 udp dpt:53 to-destination 192.168.150.111/32
> 16610 6550K TRACE all -- * * 0.0.0.0/0 0.0.0.0/0
>
> I'm getting this result. If I'm doing the RAWDNAT operation in
> PREROUTING the pakets losts the destination-port? Or how do I
> have to read that!
>
> <4>TRACE: raw:PREROUTING:rule:2 SRC=192.168.150.111 DST=192.168.150.1
> LEN=59 ID=5833 PROTO=UDP SPT=61014 DPT=53 LEN=39
> <4>TRACE: raw:PREROUTING:rule:3 SRC=10.0.17.2 DST=192.168.150.1
> LEN=59 ID=5833 PROTO=UDP SPT=61014 DPT=53 LEN=39
> <4>TRACE: raw:PREROUTING:policy:4 SRC=10.0.17.2 DST=10.0.17.1
> LEN=59 ID=5833 CE FRAG:7000 PROTO=UDP
>
> I'm feeling there is not much more to solve. A little bit help would be so
> greatly appreciated!
>
True true, something is not quite right yet.
I updated the branch with the latest commit ("updating checksumming
code"), can you try that please? Thanks for keeping me on my toes ;-)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: RAWNAT problem
2008-09-15 17:59 ` Jan Engelhardt
@ 2008-09-16 13:55 ` Manu
2008-09-16 15:05 ` Manu
1 sibling, 0 replies; 6+ messages in thread
From: Manu @ 2008-09-16 13:55 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt schrieb:
> On Monday 2008-09-15 12:02, Manu wrote:
>
>> With an additional rule [at PREROUTING 3]:
>> # iptables -nvL -t raw
>> Chain PREROUTING (policy ACCEPT 18821 packets, 7969K bytes)
>> pkts bytes target prot opt in out source destination
>> 11194 677K TRACE all -- * * 0.0.0.0/0 0.0.0.0/0
>> 353 28929 RAWSNAT all -- eth2 * 192.168.150.111 0.0.0.0/0 to-source 10.0.17.2/32
>> 3 204 RAWDNAT all -- eth2 * 10.0.17.2 0.0.0.0/0 to-destination 10.0.17.1/32
>>
>> Chain OUTPUT (policy ACCEPT 21579 packets, 6930K bytes)
>> pkts bytes target prot opt in out source destination
>> 0 0 RAWDNAT udp -- * eth2 0.0.0.0/0 10.0.17.2 udp dpt:53 to-destination 192.168.150.111/32
>> 16610 6550K TRACE all -- * * 0.0.0.0/0 0.0.0.0/0
>>
>> I'm getting this result. If I'm doing the RAWDNAT operation in
>> PREROUTING the pakets losts the destination-port? Or how do I
>> have to read that!
>>
>> <4>TRACE: raw:PREROUTING:rule:2 SRC=192.168.150.111 DST=192.168.150.1
>> LEN=59 ID=5833 PROTO=UDP SPT=61014 DPT=53 LEN=39
>> <4>TRACE: raw:PREROUTING:rule:3 SRC=10.0.17.2 DST=192.168.150.1
>> LEN=59 ID=5833 PROTO=UDP SPT=61014 DPT=53 LEN=39
>> <4>TRACE: raw:PREROUTING:policy:4 SRC=10.0.17.2 DST=10.0.17.1
>> LEN=59 ID=5833 CE FRAG:7000 PROTO=UDP
>>
>> I'm feeling there is not much more to solve. A little bit help would be so
>> greatly appreciated!
>>
>>
> True true, something is not quite right yet.
>
> I updated the branch with the latest commit ("updating checksumming
> code"), can you try that please? Thanks for keeping me on my toes ;-)
>
>
my results with your latest commit:
to remember:
PC1: eth2=10.0.0.1; eth2:1=10.0.16.1;eth2:2=10.0.17.1;...
PC2: eth0=192.168.150.111 gw=192.168.150.1
PC3 receive DHCP address from PC1: eth0=10.0.16.2; gw=10.0.16.1
DNS-Request from PC2 with iptables-rules:
# iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 8762 packets, 7355K bytes)
pkts bytes target prot opt in out source
destination
1464 103K TRACE all -- * * 0.0.0.0/0
0.0.0.0/0
395 32775 RAWDNAT all -- eth2 * 192.168.150.111
0.0.0.0/0 to-destination 10.0.17.1/32
395 32775 RAWSNAT all -- eth2 * 192.168.150.111
0.0.0.0/0 to-source 10.0.17.2/32
Chain OUTPUT (policy ACCEPT 7243 packets, 4047K bytes)
pkts bytes target prot opt in out source
destination
3227 3743K TRACE all -- * * 0.0.0.0/0
0.0.0.0/0
353 29652 RAWSNAT all -- * eth2 0.0.0.0/0
10.0.17.2 to-source 192.168.150.1/32
353 29652 RAWDNAT all -- * eth2 0.0.0.0/0
10.0.17.2 to-destination 192.168.150.111/32
4>TRACE: raw:PREROUTING:rule:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=192.168.150.111
DST=192.168.150.1 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=13923 PROTO=UDP
SPT=1026 DPT=53 LEN=69
<4>TRACE: raw:PREROUTING:rule:2 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=192.168.150.111
DST=10.0.17.1 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=13923 PROTO=UDP
SPT=1026 DPT=53 LEN=69
<4>TRACE: raw:PREROUTING:rule:3 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=13923 PROTO=UDP
SPT=1026 DPT=53 LEN=69
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=13923 PROTO=UDP
SPT=1026 DPT=53 LEN=69
<4>TRACE: mangle:INPUT:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=13923 PROTO=UDP
SPT=1026 DPT=53 LEN=69
<4>TRACE: filter:INPUT:rule:11 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=13923 PROTO=UDP
SPT=1026 DPT=53 LEN=69
same request from PC3, that gots a dhcp address from PC1:
<4>TRACE: raw:PREROUTING:policy:4 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:40:ca:d0:a9:89:08:00 SRC=10.0.16.2
DST=10.0.16.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=3212 DF PROTO=UDP
SPT=32908 DPT=53 LEN=39
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:40:ca:d0:a9:89:08:00 SRC=10.0.16.2
DST=10.0.16.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=3212 DF PROTO=UDP
SPT=32908 DPT=53 LEN=39
<4>TRACE: nat:PREROUTING:rule:2 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:40:ca:d0:a9:89:08:00 SRC=10.0.16.2
DST=10.0.16.1 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=3212 DF PROTO=UDP
SPT=32908 DPT=53 LEN=39
<4>TRACE: mangle:INPUT:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:40:ca:d0:a9:89:08:00 SRC=10.0.16.2 DST=10.0.0.1
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=3212 DF PROTO=UDP SPT=32908 DPT=53
LEN=39
<4>TRACE: filter:INPUT:rule:11 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:40:ca:d0:a9:89:08:00 SRC=10.0.16.2 DST=10.0.0.1
LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=3212 DF PROTO=UDP SPT=32908 DPT=53
LEN=39
<4>TRACE: raw:OUTPUT:policy:4 IN= OUT=eth2 SRC=10.0.0.1 DST=10.0.16.2
LEN=126 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=32908
LEN=106 UID=0
<4>TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth2 SRC=10.0.0.1 DST=10.0.16.2
LEN=126 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=32908
LEN=106 UID=0
<4>TRACE: filter:OUTPUT:rule:6 IN= OUT=eth2 SRC=10.0.0.1 DST=10.0.16.2
LEN=126 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53 DPT=32908
LEN=106 UID=0
<4>TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth2 SRC=10.0.0.1
DST=10.0.16.2 LEN=126 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53
DPT=32908 LEN=106 UID=0
<4>TRACE: rawpost:POSTROUTING:policy:1 IN= OUT=eth2 SRC=10.0.16.1
DST=10.0.16.2 LEN=126 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=53
DPT=32908 LEN=106 UID=0
That DNS-request from dhcp-lease 10.0.16.2 enters nat: PREROUTING after
passes mangle:PREROUTING
The DNS-Request from FIX-IP 192.168.150.111 doesn't enter the
nat:PREROUTING after passes mangle:PREROUTING?!??
tcpdump from both requests:
15:08:45.583020 0:40:ca:d0:a9:89 0:30:18:49:f3:2a 0800 71:
10.0.16.2.32913 > 10.0.16.1.53: [udp sum ok] 25886+ A? pop3.web.de.
(29) (DF) (ttl 64, id 30581, len 57)
0x0000 4500 0039 7775 4000 4011 8f3c 0a00 1002 E..9wu@.@..<....
0x0010 0a00 1001 8091 0035 0025 fe0a 651e 0100 .......5.%..e...
0x0020 0001 0000 0000 0000 0470 6f70 3303 7765 .........pop3.we
0x0030 6202 6465 0000 0100 01 b.de.....
15:08:45.586782 0:30:18:49:f3:2a 0:40:ca:d0:a9:89 0800 125: 10.0.16.1.53
> 10.0.16.2.32913: 25886 q: A? pop3.web.de. 1/2/0 pop3.web.de. A
217.72.192.134 ns: web.de.[|domain] (DF) (ttl 64, id 0, len 111)
0x0000 4500 006f 0000 4000 4011 067c 0a00 1001 E..o..@.@..|....
0x0010 0a00 1002 0035 8091 005b 346f 651e 8180 .....5...[4oe...
0x0020 0001 0001 0002 0000 0470 6f70 3303 7765 .........pop3.we
0x0030 6202 6465 0000 0100 01c0 0c00 0100 0100 b.de............
0x0040 0090 5f00 04d9 48c0 86c0 1100 0200 0100 .._...H.........
0x0050 0145 .E
15:08:45.825461 0:14:b:30:d0:2 0:30:18:49:f3:2a 0800 71:
192.168.150.111.62901 > 192.168.150.1.53: [udp sum ok] 36608+ A?
www.test.de. (29) (ttl 128, id 14021, len 57)
0x0000 4500 0039 36c5 0000 8011 562d c0a8 966f E..96.....V-...o
0x0010 c0a8 9601 f5b5 0035 0025 0cb8 8f00 0100 .......5.%......
0x0020 0001 0000 0000 0000 0377 7777 0474 6573 .........www.tes
0x0030 7402 6465 0000 0100 01 t.de.....
15:08:47.825169 0:14:b:30:d0:2 0:30:18:49:f3:2a 0800 71:
192.168.150.111.62901 > 192.168.150.1.53: [udp sum ok] 36608+ A?
www.test.de. (29) (ttl 128, id 14024, len 57)
0x0000 4500 0039 36c8 0000 8011 562a c0a8 966f E..96.....V*...o
0x0010 c0a8 9601 f5b5 0035 0025 0cb8 8f00 0100 .......5.%......
0x0020 0001 0000 0000 0000 0377 7777 0474 6573 .........www.tes
0x0030 7402 6465 0000 0100 01 t.de.....
maybe the successful ping command gives some advice!?
ping from PC1 to PC2 (command: ping 10.0.17.2):
<4>TRACE: raw:OUTPUT:rule:2 IN= OUT=eth2 SRC=10.0.17.1 DST=10.0.17.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=25956 SEQ=4352 UID=0
<4>TRACE: raw:OUTPUT:rule:3 IN= OUT=eth2 SRC=192.168.150.1 DST=10.0.17.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=25956 SEQ=4352 UID=0
<4>TRACE: raw:OUTPUT:policy:4 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=25956 SEQ=4352 UID=0
<4>TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=25956 SEQ=4352 UID=0
<4>TRACE: filter:OUTPUT:rule:2 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=25956 SEQ=4352 UID=0
<4>TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=25956 SEQ=4352 UID=0
<4>TRACE: raw:PREROUTING:rule:2 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=192.168.150.111
DST=192.168.150.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14473 DF
PROTO=ICMP TYPE=0 CODE=0 ID=25956 SEQ=4352
<4>TRACE: raw:PREROUTING:rule:3 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=192.168.150.111
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14473 DF PROTO=ICMP
TYPE=0 CODE=0 ID=25956 SEQ=4352
<4>TRACE: raw:PREROUTING:policy:4 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14473 DF PROTO=ICMP
TYPE=0 CODE=0 ID=25956 SEQ=4352
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14473 DF PROTO=ICMP
TYPE=0 CODE=0 ID=25956 SEQ=4352
<4>TRACE: mangle:INPUT:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14473 DF PROTO=ICMP
TYPE=0 CODE=0 ID=25956 SEQ=4352
<4>TRACE: filter:INPUT:rule:2 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14473 DF PROTO=ICMP
TYPE=0 CODE=0 ID=25956 SEQ=4352
ping from pc2 to pc1 (command: ping 192.168.150.1)
<4>TRACE: raw:PREROUTING:rule:2 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=192.168.150.111
DST=192.168.150.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14544 PROTO=ICMP
TYPE=8 CODE=0 ID=2051 SEQ=768
<4>TRACE: raw:PREROUTING:rule:3 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=192.168.150.111
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14544 PROTO=ICMP
TYPE=8 CODE=0 ID=2051 SEQ=768
<4>TRACE: raw:PREROUTING:policy:4 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14544 PROTO=ICMP
TYPE=8 CODE=0 ID=2051 SEQ=768
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14544 PROTO=ICMP
TYPE=8 CODE=0 ID=2051 SEQ=768
<4>TRACE: mangle:INPUT:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14544 PROTO=ICMP
TYPE=8 CODE=0 ID=2051 SEQ=768
<4>TRACE: filter:INPUT:rule:2 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14544 PROTO=ICMP
TYPE=8 CODE=0 ID=2051 SEQ=768
<4>TRACE: raw:OUTPUT:rule:2 IN= OUT=eth2 SRC=10.0.17.1 DST=10.0.17.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60388 PROTO=ICMP TYPE=0 CODE=0
ID=2051 SEQ=768
<4>TRACE: raw:OUTPUT:rule:3 IN= OUT=eth2 SRC=192.168.150.1 DST=10.0.17.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60388 PROTO=ICMP TYPE=0 CODE=0
ID=2051 SEQ=768
<4>TRACE: raw:OUTPUT:policy:4 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60388 PROTO=ICMP
TYPE=0 CODE=0 ID=2051 SEQ=768
<4>TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60388 PROTO=ICMP
TYPE=0 CODE=0 ID=2051 SEQ=768
<4>TRACE: filter:OUTPUT:rule:2 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60388 PROTO=ICMP
TYPE=0 CODE=0 ID=2051 SEQ=768
<4>TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60388 PROTO=ICMP
TYPE=0 CODE=0 ID=2051 SEQ=768
ping from pc2 to pc1 (command ping 10.0.17.1)
<4>TRACE: raw:PREROUTING:rule:2 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=192.168.150.111
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14657 PROTO=ICMP
TYPE=8 CODE=0 ID=59404 SEQ=1024
<4>TRACE: raw:PREROUTING:rule:3 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=192.168.150.111
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14657 PROTO=ICMP
TYPE=8 CODE=0 ID=59404 SEQ=1024
<4>TRACE: raw:PREROUTING:policy:4 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14657 PROTO=ICMP
TYPE=8 CODE=0 ID=59404 SEQ=1024
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14657 PROTO=ICMP
TYPE=8 CODE=0 ID=59404 SEQ=1024
<4>TRACE: mangle:INPUT:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14657 PROTO=ICMP
TYPE=8 CODE=0 ID=59404 SEQ=1024
<4>TRACE: filter:INPUT:rule:2 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=10.0.17.1 LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=14657 PROTO=ICMP
TYPE=8 CODE=0 ID=59404 SEQ=1024
<4>TRACE: raw:OUTPUT:rule:2 IN= OUT=eth2 SRC=10.0.17.1 DST=10.0.17.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60466 PROTO=ICMP TYPE=0 CODE=0
ID=59404 SEQ=1024
<4>TRACE: raw:OUTPUT:rule:3 IN= OUT=eth2 SRC=192.168.150.1 DST=10.0.17.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60466 PROTO=ICMP TYPE=0 CODE=0
ID=59404 SEQ=1024
<4>TRACE: raw:OUTPUT:policy:4 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60466 PROTO=ICMP
TYPE=0 CODE=0 ID=59404 SEQ=1024
<4>TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60466 PROTO=ICMP
TYPE=0 CODE=0 ID=59404 SEQ=1024
<4>TRACE: filter:OUTPUT:rule:2 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60466 PROTO=ICMP
TYPE=0 CODE=0 ID=59404 SEQ=1024
<4>TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth2 SRC=192.168.150.1
DST=192.168.150.111 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=60466 PROTO=ICMP
TYPE=0 CODE=0 ID=59404 SEQ=1024
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: RAWNAT problem
2008-09-15 17:59 ` Jan Engelhardt
2008-09-16 13:55 ` Manu
@ 2008-09-16 15:05 ` Manu
1 sibling, 0 replies; 6+ messages in thread
From: Manu @ 2008-09-16 15:05 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List
Jan Engelhardt schrieb:
> On Monday 2008-09-15 12:02, Manu wrote:
>
>> With an additional rule [at PREROUTING 3]:
>> # iptables -nvL -t raw
>> Chain PREROUTING (policy ACCEPT 18821 packets, 7969K bytes)
>> pkts bytes target prot opt in out source destination
>> 11194 677K TRACE all -- * * 0.0.0.0/0 0.0.0.0/0
>> 353 28929 RAWSNAT all -- eth2 * 192.168.150.111 0.0.0.0/0 to-source 10.0.17.2/32
>> 3 204 RAWDNAT all -- eth2 * 10.0.17.2 0.0.0.0/0 to-destination 10.0.17.1/32
>>
>> Chain OUTPUT (policy ACCEPT 21579 packets, 6930K bytes)
>> pkts bytes target prot opt in out source destination
>> 0 0 RAWDNAT udp -- * eth2 0.0.0.0/0 10.0.17.2 udp dpt:53 to-destination 192.168.150.111/32
>> 16610 6550K TRACE all -- * * 0.0.0.0/0 0.0.0.0/0
>>
>> I'm getting this result. If I'm doing the RAWDNAT operation in
>> PREROUTING the pakets losts the destination-port? Or how do I
>> have to read that!
>>
>> <4>TRACE: raw:PREROUTING:rule:2 SRC=192.168.150.111 DST=192.168.150.1
>> LEN=59 ID=5833 PROTO=UDP SPT=61014 DPT=53 LEN=39
>> <4>TRACE: raw:PREROUTING:rule:3 SRC=10.0.17.2 DST=192.168.150.1
>> LEN=59 ID=5833 PROTO=UDP SPT=61014 DPT=53 LEN=39
>> <4>TRACE: raw:PREROUTING:policy:4 SRC=10.0.17.2 DST=10.0.17.1
>> LEN=59 ID=5833 CE FRAG:7000 PROTO=UDP
>>
>> I'm feeling there is not much more to solve. A little bit help would be so
>> greatly appreciated!
>>
>>
> True true, something is not quite right yet.
>
> I updated the branch with the latest commit ("updating checksumming
> code"), can you try that please? Thanks for keeping me on my toes ;-)
>
>
Jan,
some more informations:
If I only set these rules I can also sucessfully ping each other but the
DNS-request enters the mangle:FORWARD after the mangle:PREROUTING.
# iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 21972 packets, 10M bytes)
pkts bytes target prot opt in out source
destination
535 57863 TRACE all -- * * 0.0.0.0/0
0.0.0.0/0
11 860 RAWSNAT all -- eth2 * 192.168.150.111
0.0.0.0/0 to-source 10.0.17.2/32
Chain OUTPUT (policy ACCEPT 12897 packets, 5591K bytes)
pkts bytes target prot opt in out source
destination
168 30512 TRACE all -- * * 0.0.0.0/0
0.0.0.0/0
7 588 RAWDNAT all -- * eth2 0.0.0.0/0
10.0.17.2 to-destination 192.168.150.111/32
<4>TRACE: raw:PREROUTING:policy:3 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=16945 PROTO=UDP
SPT=56929 DPT=53 LEN=38
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT=
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=16945 PROTO=UDP
SPT=56929 DPT=53 LEN=38
<4>TRACE: mangle:FORWARD:policy:1 IN=eth2 OUT=eth0 SRC=10.0.17.2
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=127 ID=16945 PROTO=UDP
SPT=56929 DPT=53 LEN=38
<4>TRACE: filter:FORWARD:rule:3 IN=eth2 OUT=eth0 SRC=10.0.17.2
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=127 ID=16945 PROTO=UDP
SPT=56929 DPT=53 LEN=38
Like described in my former postings, this stuff already worked in an
earlier version of kernel and iptables. I posted the sources as well. In
the former version I only have to set these rules above, but there was
no raw-table support integrated and the rules were set in the PREROUTING
and POSTROUTING chain in mangle table!
If I can do something else, please let me know!
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-09-16 15:04 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-11 13:24 RAWNAT problem Manu
2008-09-11 14:02 ` Jan Engelhardt
2008-09-15 16:02 ` Manu
2008-09-15 17:59 ` Jan Engelhardt
2008-09-16 13:55 ` Manu
2008-09-16 15:05 ` Manu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox