From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Praszalowicz Subject: Re: masquerading setting bogus source IP address Date: 11 Sep 2002 13:31:00 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1031743861.661.9.camel@bilbol> References: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=-BsfPHgpSDoyFn9E1yDM6" Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Gert.Vandelaer@medisearch-int.com Cc: netfilter@lists.netfilter.org --=-BsfPHgpSDoyFn9E1yDM6 Content-Type: text/plain Content-Transfer-Encoding: 7bit On Wed, 2002-09-11 at 10:52, Gert.Vandelaer@medisearch-int.com wrote: Hya, first of all, I'd like to start by asking why you had to reboot the server ? The server was acting weird, we had a bunch of different problems (like no more dhcp, no more dns, some machines had access to the net and others did not), and as we were 3 not very organized guys on the thing we ended up rebooting it in confusion. After knowing that, there might be some more clues to follow ... Your problem fixer is not going to last because masq is the same as snat, with the difference that snat does not handle dynamic ip's (explained in docs ...) Aha ! I did not know that ;) And that's good news too, because our public IP is static. What IP range does your lan have ? What is the IP (if any at all) of the nic connected to the DSL router ? The lan IP range is 192.168.x.x/16, with subnets 192.168.1.x/24 being the servers subnet and 192.168.3.x/24 the wireless lan hosts subnet. The NIC to the DSL router is actually connected to a switch on which we have the WLAN access points and the DSL router. This NIC has IPs on both ranged: eth1/192.168.3.254 and eth1:0/10.0.0.137 Thanks very much Gert for your quick response. I was happily surprised to read your mail, which, starting by 'first of all...', gave me a warm feeling of being listened to ;). Stefan Cya, Gert Stefan Praszalowicz To: netfilter@lists.netfilter.org Sent by: cc: netfilter-admin@lists.net Subject: masquerading setting bogus source IP address filter.org 10/09/2002 08:04 PM Hi guys, We're using a Linux 2.4 box as an ASDL gateway for our company office. Today after rebooting this server we catched a very strange problem... The gateway itself could access the net, but not the masqueraded machines. Running tcpdump, we saw that the gateway was setting the wrong source IP for the masqueraded connections. Basically, the packets it sent had src-addr set to 10.0.0.0. After restarting the pppoe/PPP link to the dsl modem, the source IP seemed to be incremented. I don't know for sure but at one point the IP was 10.0.0.17 and next 10.0.0.18. I solved the problem by adding a SNAT rule before the MASQ one: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE iptables -t nat -I POSTROUTING 1 -j SNAT --to 217.128.104.14 Has anybody seen this before ? Could it be related to the order in which we start things (like ppp, firewall scripts, ...) Thanks anyway ======================= Some details about the tcpdump results: ** packets originating from the masqueraded hosts, with bogus src ip: 19:09:19.693511 10.0.0.0.33514 > 128.8.10.90.domain: 29756 A? tracker.ambrosia.net. (38) (DF) 19:09:19.693539 10.0.0.0.33514 > 193.252.19.3.domain: 17779+ A? login.oscar.aol.com. (37) (DF) mail.avedya.com. (33) (DF) 19:09:20.693477 10.0.0.0.33514 > 128.63.2.53.domain: 6018 A? mail.edi-presse.fr. (36) (DF) ** packets originating from the gateway itself, src is OK 19:09:23.985905 217.128.104.14.1049 > 193.252.19.3.domain: 11374+ A? yahoo.com. (27) (DF) 19:09:24.128264 193.252.19.3.domain > 217.128.104.14.1049: 11374 2/5/5 A 66.218.71.198, A 64.58.79.230 (229) (DF) --=-BsfPHgpSDoyFn9E1yDM6 Content-Type: text/html; charset=utf-8 On Wed, 2002-09-11 at 10:52, Gert.Vandelaer@medisearch-int.com wrote: 
Hya,

first of all, I'd like to start by asking why you had to reboot the server
?

The server was acting weird, we had a bunch of different problems (like no more dhcp, no more dns, some machines had access to the net and others did not), and as we were 3 not very organized guys on the thing we ended up rebooting it in confusion. 

After knowing that, there might be some more clues to follow ...
Your problem fixer is not going to last because masq is the same as snat,
with the difference that snat does not handle dynamic ip's (explained in
docs ...)
Aha ! I did not know that ;) And that's good news too, because our public IP is static. 

What IP range does your lan have ?  What is the IP (if any at all) of the
nic connected to the DSL router ?

The lan IP range is 192.168.x.x/16, with subnets 192.168.1.x/24 being the servers subnet and 192.168.3.x/24 the wireless lan hosts subnet.
The NIC to the DSL router is actually connected to a switch on which we have the WLAN access points and the DSL router.
This NIC has IPs on both ranged: eth1/192.168.3.254 and eth1:0/10.0.0.137

Thanks very much Gert for your quick response. I was happily surprised to read your mail, which, starting by 'first of all...', gave me a warm feeling of being listened to ;).

Stefan 

Cya,
Gert



                                                                                                                                            
                    Stefan Praszalowicz                                                                                                     
                    <stefan@avedya.com>              To:     netfilter@lists.netfilter.org                                                  
                    Sent by:                         cc:                                                                                    
                    netfilter-admin@lists.net        Subject:     masquerading setting bogus source IP address                              
                    filter.org                                                                                                              
                                                                                                                                            
                                                                                                                                            
                    10/09/2002 08:04 PM                                                                                                     
                                                                                                                                            
                                                                                                                                            




Hi guys,

We're using a Linux 2.4 box as an ASDL gateway for our company office.

Today after rebooting this server we catched a very strange problem...

The gateway itself could access the net, but not the masqueraded machines.
Running tcpdump, we saw that the gateway was setting the wrong source IP
for the masqueraded connections.

Basically, the packets it sent had src-addr set to 10.0.0.0.

After restarting the pppoe/PPP link to the dsl modem, the source IP seemed
to be incremented. I don't know for sure but at one point the IP was
10.0.0.17 and next 10.0.0.18.

I solved the problem by adding a SNAT rule before the MASQ one:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 -j SNAT --to 217.128.104.14

Has anybody seen this before ?
Could it be related to the order in which we start things (like ppp,
firewall scripts, ...)

Thanks anyway

=======================
Some details about the tcpdump results:

** packets originating from the masqueraded hosts, with bogus src ip:

19:09:19.693511 10.0.0.0.33514 > 128.8.10.90.domain:  29756 A?
tracker.ambrosia.net. (38) (DF)
19:09:19.693539 10.0.0.0.33514 > 193.252.19.3.domain:  17779+ A?
login.oscar.aol.com. (37) (DF)
mail.avedya.com. (33) (DF)
19:09:20.693477 10.0.0.0.33514 > 128.63.2.53.domain:  6018 A?
mail.edi-presse.fr. (36) (DF)

** packets originating from the gateway itself, src is OK
19:09:23.985905 217.128.104.14.1049 > 193.252.19.3.domain:  11374+ A?
yahoo.com. (27) (DF)
19:09:24.128264 193.252.19.3.domain > 217.128.104.14.1049:  11374 2/5/5 A
66.218.71.198, A 64.58.79.230 (229) (DF)
--=-BsfPHgpSDoyFn9E1yDM6--