From: Enrique Huerta de la Fuente <ehuerta@ixer.mx>
To: SamLT <sam@sltosis.org>
Cc: netfilter@vger.kernel.org, Andrew Beverley <andy@andybev.com>
Subject: Re: iptables udp 1195 MASQUERADE
Date: Tue, 14 Feb 2012 12:05:24 -0600 (CST) [thread overview]
Message-ID: <28509660.3204.1329242724424.JavaMail.root@ixer.mx> (raw)
In-Reply-To: <5260549.3200.1329242426858.JavaMail.root@ixer.mx>
>On Fri, Feb 10, 2012 at 08:05:47PM +0000, Andrew Beverley wrote:
>> On Fri, 2012-02-10 at 12:36 -0600, Enrique Huerta de la Fuente wrote:
>> > iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
>> >
>> > but it does not work.
>>
>> Are you *sure* it's not working?
>
>Sorry to jump in here, but, I agree with Enrique, could you show some
>tcpdump output or something?
>- Do the paquet go out from ppp0 without being MASQUERAD'ed?
>- Do they go out from an other interface?
- Does it look like they are being filtered? or REDIRECT'ed?
>>
>>
>> >
> > Any ideas?
>>
>> Upgrade maybe? As said previously, it's always worked for me.
>>
>> Andy
Hello Sam,
I doing a log target to check the rule in each of the OUTPUT hooks (raw, mangle and filter) and POSTROUTING hooks (mangle).
kernel: OUTPUT-22-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=17619 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=304 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=284
kernel: OUTPUT-22-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=18917 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=416 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=396
kernel: OUTPUT-22-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19177 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: OUTPUT-1195-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=108
kernel: POSTROUTING-22-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19543 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0
kernel: POSTROUTING-1195-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=160 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=140
In the last log, the output interface is already changing, but did not change the source address, this happen in the POSTROUTING hook (nat)
Apply the rule: "iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE", this masks the port 22 (tcp) but not the 1195 (udp), because I can connect via ssh.
It seems the problem is that does not mask the port 1195 (udp).
This is my tcpdump outputs (tcpdump -i ppp0 -nn):
Before apply the MASQUERADE rule in port 22(does not work):
21:59:47.012159 IP 201.15.40.9.60489 > 189.189.5.2.22: S 1987636:1987636(0) win 5840 <mss 1460,sackOK,timestamp 2332493919 0,nop,wscale 7>
21:59:50.011828 IP 201.15.40.9.60489 > 189.189.5.2.22: S 1987636:1987636(0) win 5840 <mss 1460,sackOK,timestamp 2332496919 0,nop,wscale 7>
21:59:56.011638 IP 201.15.40.9.60489 > 189.189.5.2.22: S 1987636:1987636(0) win 5840 <mss 1460,sackOK,timestamp 2332502919 0,nop,wscale 7>
After apply the MASQUERADE rule (does work):
22:01:40.922449 IP 201.102.128.12.58860 > 189.189.5.2.22: S 125979932:125979932(0) win 5840 <mss 1460,sackOK,timestamp 2332607835 0,nop,wscale 7>
22:01:40.941429 IP 189.189.5.2.22 > 201.102.128.12.58860: S 3858527134:3858527134(0) ack 125979933 win 5760 <mss 1412,sackOK,timestamp 2327811813 2332607835,nop,wscale 7>
22:01:40.941461 IP 201.102.128.12.58860 > 189.189.5.2.22: . ack 1 win 46 <nop,nop,timestamp 2332607854 2327811813>
22:01:40.967119 IP 189.189.5.2.22 > 201.102.128.12.58860: P 1:21(20) ack 1 win 45 <nop,nop,timestamp 2327811835 2332607854>
22:01:40.967175 IP 201.102.128.12.58860 > 189.189.5.2.22: . ack 21 win 46 <nop,nop,timestamp 2332607879 2327811835>
22:01:40.967290 IP 201.102.128.12.58860 > 189.189.5.2.22: P 1:21(20) ack 21 win 46 <nop,nop,timestamp 2332607880 2327811835>
22:01:40.986909 IP 189.189.5.2.22 > 201.102.128.12.58860: . ack 21 win 45 <nop,nop,timestamp 2327811857 2332607880>
22:01:40.986932 IP 201.102.128.12.58860 > 189.189.5.2.22: P 21:733(712) ack 21 win 46 <nop,nop,timestamp 2332607899 2327811857>
22:01:41.000709 IP 189.189.5.2.22 > 201.102.128.12.58860: P 21:725(704) ack 21 win 45 <nop,nop,timestamp 2327811858 2332607880>
22:01:41.041005 IP 201.102.128.12.58860 > 189.189.5.2.22: . ack 725 win 57 <nop,nop,timestamp 2332607953 2327811858>
But, when apply or not the MASQUERADE rule in 1195(udp) port, nothing happens
In this point, I apply this rules:
iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -I POSTROUTING -m udp -p udp --dport 1195 -o ppp0 -j MASQUERADE
iptables -t nat -I POSTROUTING -d 189.189.5.2 -m udp -p udp --dport 1195 -o ppp0 -j SNAT --to 201.102.128.12:1195
22:30:54.885067 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 100
22:30:55.277241 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 324
22:30:55.539264 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 276
22:30:55.547639 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 388
22:30:55.619872 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 324
22:30:55.723678 IP 189.189.5.2.1195 > 201.102.128.12.1195: UDP, length 100
22:30:55.745952 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 100
22:30:55.993822 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 1556
22:30:55.993842 IP 201.15.40.9 > 189.189.5.2: udp
22:30:55.993879 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 1556
22:30:55.993896 IP 201.15.40.9 > 189.189.5.2: udp
22:30:55.993932 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 1556
22:30:55.993947 IP 201.15.40.9 > 189.189.5.2: udp
22:30:55.993982 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 1508
22:30:55.993988 IP 201.15.40.9 > 189.189.5.2: udp
22:30:56.344615 IP 189.189.5.2.1195 > 201.102.128.12.1195: UDP, length 100
22:30:56.366510 IP 201.15.40.9.1195 > 189.189.5.2.1195: UDP, length 100
# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 174.133.237.209
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
MASQUERADE udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1195
SNAT udp -- 0.0.0.0/0 189.189.5.2 udp dpt:1195 to:201.102.128.12:1195
MASQUERADE tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -t mangle -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 MARK set 0x1
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1195 MARK set 0x1
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 MARK set 0x1
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
The problem is that the MASQUERADE rule does not work with UDP(1195).
Any idea?
E.Huerta
next parent reply other threads:[~2012-02-14 18:05 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5260549.3200.1329242426858.JavaMail.root@ixer.mx>
2012-02-14 18:05 ` Enrique Huerta de la Fuente [this message]
2012-02-14 22:41 ` iptables udp 1195 MASQUERADE Sven-Haegar Koch
[not found] <25775146.3320.1329329075047.JavaMail.root@ixer.mx>
2012-02-15 18:04 ` Enrique Huerta de la Fuente
[not found] <19323396.2950.1328898736467.JavaMail.root@ixer.mx>
2012-02-10 18:36 ` Enrique Huerta de la Fuente
2012-02-10 20:05 ` Andrew Beverley
2012-02-10 22:55 ` Enrique Huerta de la Fuente
2012-02-11 9:13 ` SamLT
2012-02-14 17:18 ` Enrique Huerta de la Fuente
[not found] <5634144.2926.1328853844897.JavaMail.root@ixer.mx>
2012-02-10 6:05 ` Enrique Huerta de la Fuente
2012-02-10 15:57 ` Andrew Beverley
[not found] <26800503.2896.1328827967506.JavaMail.root@ixer.mx>
2012-02-10 5:44 ` Enrique Huerta de la Fuente
[not found] <13902251.2734.1328591255561.JavaMail.root@ixer.mx>
2012-02-07 5:12 ` Enrique Huerta de la Fuente
2012-02-09 20:48 ` Andrew Beverley
[not found] <13116495.2023.1327446410284.JavaMail.root@ixer.mx>
2012-01-24 23:34 ` Enrique Huerta de la Fuente
2012-02-04 19:58 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=28509660.3204.1329242724424.JavaMail.root@ixer.mx \
--to=ehuerta@ixer.mx \
--cc=andy@andybev.com \
--cc=netfilter@vger.kernel.org \
--cc=sam@sltosis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox