From: "Timothy Hayes" <morphieus@earthlink.net>
Cc: netfilter@vger.kernel.org
Subject: SNAT - on bridge only addressing some packets?
Date: Thu, 29 Jul 2010 12:37:25 -0700 [thread overview]
Message-ID: <006601cb2f55$790557b0$6b100710$@net> (raw)
In-Reply-To: <4B50959F.4040207@solutti.com.br>
First I only casually use net filter normally, and never before in with a bridged configuration so I apologize for any missing details.
What I need to do is have each connection from one box on the local side of the bridge to appear to come from different IP's the system currently. As I've stated the system that I've been told to enact these changes on appears to be a transparent bridge configuration.
The bridge is currently running ubuntu 9.04
2.6.28-19-server #61-Ubuntu SMP Thu May 27 00:22:27 UTC 2010 x86_64 GNU/Linux
An outsourced vendor is using shorewall version 4.0.15 for fw managment.
the virtual bridge interface is br0
the external interface is eth0
the internal interface is eth2
The sourcehost appears to have a router external to the bridge as it's default gw.
I've been trying a rule similar to:
iptables -t nat -A POSTROUTING -o br0 -p tcp -s <unnated source host> -d <external webhost> -j SNAT --to-source <natted sourcehost>
What I see off of bridge using "tcpdump -ni eth0 host <external webhost>"
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:21:26.149511 IP <natted sourcehost>.3387 > <external webhost>.www: S 1222579102:1222579102(0) win 65535 <mss 1460,nop,nop,sackOK>
12:21:26.233964 IP <external webhost>.www > <natted sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:26.234005 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:26.234082 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.104834 IP <natted sourcehost>.3387 > <external webhost>.www: S 1222579102:1222579102(0) win 65535 <mss 1460,nop,nop,sackOK>
12:21:29.189434 IP <external webhost>.www > <natted sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.189459 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.189499 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.231507 IP <external webhost>.www > <natted sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.231529 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.231568 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.121142 IP <natted sourcehost>.3387 > <external webhost>.www: S 1222579102:1222579102(0) win 65535 <mss 1460,nop,nop,sackOK>
12:21:35.205294 IP <external webhost>.www > <natted sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.205324 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.205363 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.234786 IP <external webhost>.www > <natted sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.234807 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.234847 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
I did turn on ip forwarding by doing:
echo 1 > /proc/sys/net/ipv4/ip_forward
The firewall does appear to have all the rules needed to track the connections?
user@system:/home/user# cat base.fwr1 | grep ESTABLISHED
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2world -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2world -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2world -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2world -m state --state RELATED,ESTABLISHED -j ACCEPT
-A world2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A world2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A world2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
Any help would be greatly appreciated.
prev parent reply other threads:[~2010-07-29 19:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-15 15:33 SNAT - matching original and natted IP addresses Shirley Ong
2010-01-15 16:19 ` Leonardo Rodrigues
2010-07-29 19:37 ` Timothy Hayes [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='006601cb2f55$790557b0$6b100710$@net' \
--to=morphieus@earthlink.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox