From: Enrique Huerta de la Fuente <ehuerta@ixer.mx>
To: Andrew Beverley <andy@andybev.com>
Cc: netfilter@vger.kernel.org
Subject: Re: iptables udp 1195 MASQUERADE
Date: Mon, 6 Feb 2012 23:12:20 -0600 (CST) [thread overview]
Message-ID: <16986089.2736.1328591540466.JavaMail.root@ixer.mx> (raw)
In-Reply-To: <13902251.2734.1328591255561.JavaMail.root@ixer.mx>
>----- Mensaje original -----
>De: "Andrew Beverley" <andy@andybev.com>
>Para: ehuerta@ixer.mx
>CC: netfilter@vger.kernel.org
>Enviados: Sábado, 4 de Febrero 2012 13:58:32
>Asunto: Re: iptables udp 1195 MASQUERADE
>
>On Tue, 2012-01-24 at 17:34 -0600, Enrique Huerta de la Fuente wrote:
>> Hello
>>
>> I have OpenVPN (lan to lan)
>>
>> On site 1 (4 links)
>> - eth0 (LAN)
>> - eth1 (internet link)
>> - eth3 (enalce internet)
>> - ppp0 (internet link)
>> - Deafult gateway eth1
>>
>> On site 2 (3 links)
>> - eth0 (LAN)
>> - eth1 (internet link)
>> - ppp0 (internet link)
>> - Deafult gateway ppp0
>>
>> The eth3 interface (site 1) and the eth1 interface (site 2) are the
>> same supplier, the same mask.
>>
>> The VPN works with eth3 (site 1) <---> eth1 (site 2) and it works
>> great. We must not over because they are the same provider and does
>> not require the gateway.
>>
>> But if it fails any of the VPN link (eth3 o eth1), we need to change
>> links of VPN to ppp0 (site 1) <-----> ppp0 (site 2).
>>
>> Here's the problem!
>>
>> At site 1, the UPD packets should go out by ppp0 (the default gateway
>> is eth1). To do this:
>>
>> # Iptables-t nat-I POSTROUTING-p udp-m udp - dport 1195-o ppp0-j
>> MASQUERADE # Iptables-t mangle-I OUTPUT-p udp-m udp - dport 1195-j
>> MARK - set-mark 1
>
>Are you sure you've got this rule correct? Have you tried doing a LOG
>target to check that it is matching the packets that you would expect?
>
>>
>> So are the paths:
>>
>> # Ip rule ls
>> 0: from all lookup 255
>> 32757: from all fwmark 0x1 lookup infinitum
>> 32758: from 189.143.36.36 lookup infinitum
>> 32759: from 38.124.170.15 lookup bbs
>> 32766: from all lookup main
>>
>> # Ip route ls table infinitum
>> default via 189.143.36.36 dev ppp0
>>
>>
>> The problem is that no packets arrive from site 1 to the site 2. The
>> UDP packets arrive to site 1 from site 2
>>
>> I tested with port 22 (ssh) and it works.
>>
>> # Iptables-t nat-I POSTROUTING-m tcp-p tcp - dport 22-o ppp0-j
>> MASQUERADE # Iptables-t mangle-I OUTPUT-m tcp-p tcp - dport 22-j MARK
>> - set-mark 1
>>
>>
>> Any idea why that no UDP packets arrive to site 2?
>>
>> regards
>>
>> E.Huerta
>> -- To unsubscribe from this list: send the line "unsubscribe
>> netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
Hello Andrew, thank you for the attention.
I doing a log target to check the rule in each of the OUTPUT hooks (raw, mangle, nat and filter) and POSTROUTING hooks (mangle and nat).
kernel: OUTPUT-22-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=17619 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=304 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=284
kernel: OUTPUT-22-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=18917 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=416 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=396
kernel: OUTPUT-22-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19177 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=108
kernel: POSTROUTING-22-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19543 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: POSTROUTING-1195-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=160 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=140
In the out and POSTROUTING hooks in the NAT table, i can not do log.
In the last log, the output interface is already changing, but did not change the source address.
Apply the rule: "iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE", this masks the port 22 (tcp) but not the 1195 (udp), because I can connect via ssh.
It seems the problem is that does not mask the port 1195 (udp).
Any idea?
regards
E.Huerta
next parent reply other threads:[~2012-02-07 5:12 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <13902251.2734.1328591255561.JavaMail.root@ixer.mx>
2012-02-07 5:12 ` Enrique Huerta de la Fuente [this message]
2012-02-09 20:48 ` iptables udp 1195 MASQUERADE Andrew Beverley
[not found] <25775146.3320.1329329075047.JavaMail.root@ixer.mx>
2012-02-15 18:04 ` Enrique Huerta de la Fuente
[not found] <5260549.3200.1329242426858.JavaMail.root@ixer.mx>
2012-02-14 18:05 ` Enrique Huerta de la Fuente
2012-02-14 22:41 ` Sven-Haegar Koch
[not found] <19323396.2950.1328898736467.JavaMail.root@ixer.mx>
2012-02-10 18:36 ` Enrique Huerta de la Fuente
2012-02-10 20:05 ` Andrew Beverley
2012-02-10 22:55 ` Enrique Huerta de la Fuente
2012-02-11 9:13 ` SamLT
2012-02-14 17:18 ` Enrique Huerta de la Fuente
[not found] <5634144.2926.1328853844897.JavaMail.root@ixer.mx>
2012-02-10 6:05 ` Enrique Huerta de la Fuente
2012-02-10 15:57 ` Andrew Beverley
[not found] <26800503.2896.1328827967506.JavaMail.root@ixer.mx>
2012-02-10 5:44 ` Enrique Huerta de la Fuente
[not found] <13116495.2023.1327446410284.JavaMail.root@ixer.mx>
2012-01-24 23:34 ` Enrique Huerta de la Fuente
2012-02-04 19:58 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16986089.2736.1328591540466.JavaMail.root@ixer.mx \
--to=ehuerta@ixer.mx \
--cc=andy@andybev.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox