* NAT translation problem - leakage of packets with original source address
@ 2022-03-10 11:40 Marcin Kabiesz
2022-03-10 12:08 ` Florian Westphal
0 siblings, 1 reply; 7+ messages in thread
From: Marcin Kabiesz @ 2022-03-10 11:40 UTC (permalink / raw)
To: netfilter
Hello,
is it possible that with the OpenVPN interface tun0 every now and then
some packets with a private source address are visible and forwarded to
the router? because either it is intentional and I do not know or I
found an error in the NAT translation that skips some packet and I see
it on the router where the packet should not be, i.e. the router is a
public addressing router, so in order for the packet to get there, the
machine that sent it must exit at public which a few packages don't do
....
I also reported the problem to kernel.org, but I don't know if netfilter
is the right place.
1. server source with openvpn server
Mar 10 11:30:09 server kernel: [26083675.795216] Forward-Out: IN=tun0
OUT=eno1 MAC= SRC=192.168.5.10 DST=216.58.209.10 LEN=52 TOS=0x00
PREC=0x00 TTL=63 ID=64660 DF PROTO=TCP SPT=42296 DPT=443 SEQ=443014968
ACK=3344394422 WINDOW=501 RES=0x00 ACK FIN URGP=0 OPT
(0101080AD162AFE7A0460968)
2. server/router with only public addresses - default gateway
11:30:09.745326 xx:xx:xx:xx:xx:xx > zz:zz:zz:zz:zz:zz, ethertype 802.1Q
(0x8100), length 64: vlan 1234, p 0, ethertype IPv4 (0x0800), (tos 0x0,
ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
192.168.5.10.42296 > 216.58.209.10.443: Flags [R], cksum 0xa055
(correct), seq 443014968, win 0, length 0
3. NAT rule
Chain POSTROUTING (policy ACCEPT 65M packets, 5184M bytes)
pkts bytes target prot opt in out source
destination
1905K 345M SNAT all -- * eno1 192.168.5.0/24
0.0.0.0/0 to:1.2.3.4 (my public IP)
4. why ?? passed or not ??
Regards
--
Marcin Kabiesz
Administrator Sieci IT
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: NAT translation problem - leakage of packets with original source address
2022-03-10 11:40 NAT translation problem - leakage of packets with original source address Marcin Kabiesz
@ 2022-03-10 12:08 ` Florian Westphal
2022-03-10 12:33 ` Marcin Kabiesz
0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2022-03-10 12:08 UTC (permalink / raw)
To: Marcin Kabiesz; +Cc: netfilter
Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
> is it possible that with the OpenVPN interface tun0 every now and then some
> packets with a private source address are visible and forwarded to the
> router?
Yes, NAT is only applied to packets that conntrack considers sane/valid.
You can e.g. add a drop rule for INVALID packets.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: NAT translation problem - leakage of packets with original source address
2022-03-10 12:08 ` Florian Westphal
@ 2022-03-10 12:33 ` Marcin Kabiesz
2022-03-10 14:53 ` Florian Westphal
0 siblings, 1 reply; 7+ messages in thread
From: Marcin Kabiesz @ 2022-03-10 12:33 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter
W dniu 2022-03-10 13:08, Florian Westphal napisał(a):
> Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
>> is it possible that with the OpenVPN interface tun0 every now and then
>> some
>> packets with a private source address are visible and forwarded to the
>> router?
>
> Yes, NAT is only applied to packets that conntrack considers
> sane/valid.
>
> You can e.g. add a drop rule for INVALID packets.
Welcome,
Thank you for your answer.
My question is where do I create a rule for invalid packets? in NAT
POSTROUTING? or MANGLE POSTROUTING or other place leaving the server? I
am waiting for your opinion.
--
Marcin Kabiesz
Administrator Sieci IT
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: NAT translation problem - leakage of packets with original source address
2022-03-10 12:33 ` Marcin Kabiesz
@ 2022-03-10 14:53 ` Florian Westphal
2022-03-11 9:11 ` Marcin Kabiesz
0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2022-03-10 14:53 UTC (permalink / raw)
To: Marcin Kabiesz; +Cc: Florian Westphal, netfilter
Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
> My question is where do I create a rule for invalid packets? in NAT
> POSTROUTING? or MANGLE POSTROUTING or other place leaving the server? I am
> waiting for your opinion.
INVALID packets do not traverse NAT table, so NAT POSTROUTING won't
work.
I would suggest mangle postrouting or filter forward, depending on
wheter you want to include locally generated packets or not.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: NAT translation problem - leakage of packets with original source address
2022-03-10 14:53 ` Florian Westphal
@ 2022-03-11 9:11 ` Marcin Kabiesz
2022-03-11 12:53 ` Florian Westphal
0 siblings, 1 reply; 7+ messages in thread
From: Marcin Kabiesz @ 2022-03-11 9:11 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter
W dniu 2022-03-10 15:53, Florian Westphal napisał(a):
> Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
>> My question is where do I create a rule for invalid packets? in NAT
>> POSTROUTING? or MANGLE POSTROUTING or other place leaving the server?
>> I am
>> waiting for your opinion.
>
> INVALID packets do not traverse NAT table, so NAT POSTROUTING won't
> work.
>
> I would suggest mangle postrouting or filter forward, depending on
> wheter you want to include locally generated packets or not.
Welcome,
I did as you wrote and even added the option to filter local networks
before entering NAT and still get traffic from the network for this
machine.
There is a 192.168.10.x / 24 network on this router and I can see its
packets as if NAT is running even though it is clearly told to replace
the source IP in the header. The POSTROUTING rule for INVALID does not
work because nothing gets caught in it.
This router NAT (not BGP - BGP is default Gateway)
Chain POSTROUTING (policy ACCEPT 1170K packets, 1616M bytes)
pkts bytes target prot opt in out source
destination
84216 8212K ACCEPT all -- * eth0.2 192.168.10.0/24
0.0.0.0/0
552K 46M ACCEPT all -- * eth0.2 192.168.11.0/24
0.0.0.0/0
0 0 ACCEPT all -- * eth0.2 192.168.12.0/24
0.0.0.0/0
0 0 DROP all -- * eth0.2 192.168.0.0/16
0.0.0.0/0
0 0 DROP tcp -- * eth0.2 0.0.0.0/0
0.0.0.0/0 state INVALID
and
Chain POSTROUTING (policy ACCEPT 30780 packets, 2009K bytes)
pkts bytes target prot opt in out source
destination
117K 17M SNAT all -- * eth0.2 192.168.10.0/24
0.0.0.0/0 to:1.2.3.4
558K 77M SNAT all -- * eth0.2 192.168.11.0/24
0.0.0.0/0 to:1.2.3.4
1629 256K SNAT all -- * eth0.2 192.168.12.0/24
0.0.0.0/0 to:1.2.3.4
My Router (BGP router) packet: (I shouldn't have seen it and here I can
see ...)
10:09:28.879415 xx:xx:xx:xx:xx:xx > zz:zz:zz:zz:zz:zz, ethertype 802.1Q
(0x8100), length 64: vlan 1234, p 0, ethertype IPv4 (0x0800), (tos 0x0,
ttl 127, id 20066, offset 0, flags [DF], proto TCP (6), length 40)
192.168.10.206.57808 > 108.177.14.189.443: Flags [R.], cksum 0x3ba1
(correct), seq 2045590905, ack 4040794494, win 0, length 0
Please help / hint.
--
Marcin Kabiesz
Administrator Sieci IT
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: NAT translation problem - leakage of packets with original source address
2022-03-11 9:11 ` Marcin Kabiesz
@ 2022-03-11 12:53 ` Florian Westphal
2022-03-11 13:45 ` Marcin Kabiesz
0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2022-03-11 12:53 UTC (permalink / raw)
To: Marcin Kabiesz; +Cc: Florian Westphal, netfilter
Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
> Chain POSTROUTING (policy ACCEPT 1170K packets, 1616M bytes)
> pkts bytes target prot opt in out source
> destination
> 84216 8212K ACCEPT all -- * eth0.2 192.168.10.0/24
> 0.0.0.0/0
> 552K 46M ACCEPT all -- * eth0.2 192.168.11.0/24
> 0.0.0.0/0
> 0 0 ACCEPT all -- * eth0.2 192.168.12.0/24
> 0.0.0.0/0
> 0 0 DROP all -- * eth0.2 192.168.0.0/16
> 0.0.0.0/0
> 0 0 DROP tcp -- * eth0.2 0.0.0.0/0
> 0.0.0.0/0 state INVALID
I suspect you need to move the INVALID rule to the beginning,
else packets might get accepted by earlier rule.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: NAT translation problem - leakage of packets with original source address
2022-03-11 12:53 ` Florian Westphal
@ 2022-03-11 13:45 ` Marcin Kabiesz
0 siblings, 0 replies; 7+ messages in thread
From: Marcin Kabiesz @ 2022-03-11 13:45 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter
W dniu 2022-03-11 13:53, Florian Westphal napisał(a):
> Marcin Kabiesz <marcin.kabiesz@smarthost.pl> wrote:
>> Chain POSTROUTING (policy ACCEPT 1170K packets, 1616M bytes)
>> pkts bytes target prot opt in out source
>> destination
>> 84216 8212K ACCEPT all -- * eth0.2 192.168.10.0/24
>> 0.0.0.0/0
>> 552K 46M ACCEPT all -- * eth0.2 192.168.11.0/24
>> 0.0.0.0/0
>> 0 0 ACCEPT all -- * eth0.2 192.168.12.0/24
>> 0.0.0.0/0
>> 0 0 DROP all -- * eth0.2 192.168.0.0/16
>> 0.0.0.0/0
>> 0 0 DROP tcp -- * eth0.2 0.0.0.0/0
>> 0.0.0.0/0 state INVALID
>
> I suspect you need to move the INVALID rule to the beginning,
> else packets might get accepted by earlier rule.
Hello,
this is how i coped with this problem. Thank you for all your help :)
https://bugzilla.netfilter.org/show_bug.cgi?id=1115
I checked and filtered INVALID accordingly and it works :)
--
Marcin Kabiesz
Administrator Sieci IT
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-03-11 13:45 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-03-10 11:40 NAT translation problem - leakage of packets with original source address Marcin Kabiesz
2022-03-10 12:08 ` Florian Westphal
2022-03-10 12:33 ` Marcin Kabiesz
2022-03-10 14:53 ` Florian Westphal
2022-03-11 9:11 ` Marcin Kabiesz
2022-03-11 12:53 ` Florian Westphal
2022-03-11 13:45 ` Marcin Kabiesz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox