Re: RAWNAT problem

Linux Netfilter development
 help / color / mirror / Atom feed

From: Manu <manuprivat@gmx.de>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: RAWNAT problem
Date: Tue, 16 Sep 2008 17:05:25 +0200	[thread overview]
Message-ID: <48CFCB35.3070007@gmx.de> (raw)
In-Reply-To: <alpine.LNX.1.10.0809151246130.13892@fbirervta.pbzchgretzou.qr>

Jan Engelhardt schrieb:
> On Monday 2008-09-15 12:02, Manu wrote:
>   
>> With an additional rule [at PREROUTING 3]:
>> # iptables -nvL -t raw
>> Chain PREROUTING (policy ACCEPT 18821 packets, 7969K bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>> 11194  677K TRACE      all  --  *      *       0.0.0.0/0            0.0.0.0/0
>>   353 28929 RAWSNAT    all  --  eth2   *       192.168.150.111      0.0.0.0/0 to-source 10.0.17.2/32
>>     3   204 RAWDNAT    all  --  eth2   *       10.0.17.2            0.0.0.0/0 to-destination 10.0.17.1/32
>>
>> Chain OUTPUT (policy ACCEPT 21579 packets, 6930K bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>>     0     0 RAWDNAT    udp  --  *      eth2    0.0.0.0/0            10.0.17.2 udp dpt:53 to-destination 192.168.150.111/32
>> 16610 6550K TRACE      all  --  *      *       0.0.0.0/0            0.0.0.0/0
>>
>> I'm getting this result. If I'm doing the RAWDNAT operation in
>> PREROUTING the pakets losts the destination-port? Or how do I
>> have to read that!
>>
>> <4>TRACE: raw:PREROUTING:rule:2   SRC=192.168.150.111 DST=192.168.150.1
>>    LEN=59 ID=5833 PROTO=UDP SPT=61014 DPT=53 LEN=39
>> <4>TRACE: raw:PREROUTING:rule:3   SRC=10.0.17.2       DST=192.168.150.1
>>    LEN=59 ID=5833 PROTO=UDP SPT=61014 DPT=53 LEN=39
>> <4>TRACE: raw:PREROUTING:policy:4 SRC=10.0.17.2       DST=10.0.17.1
>>    LEN=59 ID=5833 CE FRAG:7000 PROTO=UDP
>>
>> I'm feeling there is not much more to solve. A little bit help would be so
>> greatly appreciated!
>>
>>     
> True true, something is not quite right yet.
>
> I updated the branch with the latest commit ("updating checksumming 
> code"), can you try that please? Thanks for keeping me on my toes ;-)
>
>   
Jan,

some more informations:

If I only set these rules I can also sucessfully ping each other but the 
DNS-request enters the mangle:FORWARD after the mangle:PREROUTING.

# iptables -nvL -t raw
Chain PREROUTING (policy ACCEPT 21972 packets, 10M bytes)
 pkts bytes target     prot opt in     out     source               
destination
  535 57863 TRACE      all  --  *      *       0.0.0.0/0            
0.0.0.0/0
   11   860 RAWSNAT    all  --  eth2   *       192.168.150.111      
0.0.0.0/0           to-source 10.0.17.2/32

Chain OUTPUT (policy ACCEPT 12897 packets, 5591K bytes)
 pkts bytes target     prot opt in     out     source               
destination
  168 30512 TRACE      all  --  *      *       0.0.0.0/0            
0.0.0.0/0
    7   588 RAWDNAT    all  --  *      eth2    0.0.0.0/0            
10.0.17.2           to-destination 192.168.150.111/32


<4>TRACE: raw:PREROUTING:policy:3 IN=eth2 OUT= 
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2 
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=16945 PROTO=UDP 
SPT=56929 DPT=53 LEN=38
<4>TRACE: mangle:PREROUTING:policy:1 IN=eth2 OUT= 
MAC=00:30:18:49:f3:2a:00:14:0b:30:d0:02:08:00 SRC=10.0.17.2 
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=128 ID=16945 PROTO=UDP 
SPT=56929 DPT=53 LEN=38
<4>TRACE: mangle:FORWARD:policy:1 IN=eth2 OUT=eth0 SRC=10.0.17.2 
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=127 ID=16945 PROTO=UDP 
SPT=56929 DPT=53 LEN=38
<4>TRACE: filter:FORWARD:rule:3 IN=eth2 OUT=eth0 SRC=10.0.17.2 
DST=192.168.150.1 LEN=58 TOS=0x00 PREC=0x00 TTL=127 ID=16945 PROTO=UDP 
SPT=56929 DPT=53 LEN=38


Like described in my former postings, this stuff already worked in an 
earlier version of kernel and iptables. I posted the sources as well. In 
the former version I only have to set these rules above, but there was 
no raw-table support integrated and the rules were set in the PREROUTING 
and POSTROUTING chain in mangle table!

If I can do something else, please let me know!

     prev parent reply	other threads:[~2008-09-16 15:04 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-11 13:24 RAWNAT problem Manu
2008-09-11 14:02 ` Jan Engelhardt
2008-09-15 16:02   ` Manu
2008-09-15 17:59     ` Jan Engelhardt
2008-09-16 13:55       ` Manu
2008-09-16 15:05       ` Manu [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48CFCB35.3070007@gmx.de \
    --to=manuprivat@gmx.de \
    --cc=jengelh@medozas.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox