From: James MacLean <macleajb@ednet.ns.ca>
To: netfilter@lists.netfilter.org
Subject: Private traffic seen on public NATed interface - Linux 2.6.10-11 tested
Date: Tue, 15 Mar 2005 15:30:42 -0400 [thread overview]
Message-ID: <423737E2.4050201@ednet.ns.ca> (raw)
[-- Attachment #1: Type: text/plain, Size: 1582 bytes --]
Hi Folks,
Today we noticed that some traffic appears to be getting by netfilter
unNATed. The computers use typical SNATing such as :
iptables -t nat -I POSTROUTING -j SNAT -s <private ip space> -o eth0
--to <IP of eth0>
While we were dumping traffic on the public interface, we noticed
private IPs showing up in our dumps.
We verified that there existed sessions between private IPs and public
Internet sites where some of the private traffic was returning to the
Internet site not NATed.
We started watching, and saw this occur on servers with 2.6.11 and
2.6.10 kernels which are all we have to test with.
These kernels were compiled locally.
For example, tcpdumping on a public interface where no private IPs
should live :
15:19:22.066190 IP 10.0.7.100.2640 > 142.176.33.171.http: R
2946695981:2946695981(0) ack 4138631275 win 0
15:19:22.066516 IP 10.0.7.100.2641 > 142.176.33.170.http: R
818314876:818314876(0) ack 4144245614 win 0
15:19:22.066684 IP 10.0.7.100.2638 > 142.176.33.170.http: R
3381617258:3381617258(0) ack 4136231656 win 0
15:19:22.067353 IP 10.0.7.100.2639 > 142.176.33.170.http: R
3920569986:3920569986(0) ack 4133397861 win 0
15:19:22.068045 IP 10.0.7.100.2642 > 142.176.33.170.http: R
3340982500:3340982500(0) ack 4135371285 win 0
15:19:24.001820 IP 10.0.5.13.2023 > 65.54.194.118.http: F 0:0(0) ack 1
win 64790
It appears the offending traffic is not payload type traffic and is just
control traffic, although our testing was only looking at a small dump
with Ethereal.
Is there something we may have been setting up incorrectly?
JES
next reply other threads:[~2005-03-15 19:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-15 19:30 James MacLean [this message]
2005-03-15 20:27 ` Private traffic seen on public NATed interface - Linux 2.6.10-11 tested Francesco Ciocchetti
2005-03-15 20:57 ` James MacLean
2005-03-15 23:20 ` James MacLean
[not found] ` <42374B1B.4090901@ednet.ns.ca>
[not found] ` <4237EC2D.4050807@fastwebnet.it>
2005-03-16 12:49 ` James MacLean
2005-03-16 13:04 ` Private traffic seen on public NATed interface - Linux 2.6.10-11tested Clist
2005-03-16 14:36 ` Private traffic seen on public NATed interface - Linux 2.6.10-11 tested Marius Mertens
2005-03-16 16:52 ` James MacLean
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=423737E2.4050201@ednet.ns.ca \
--to=macleajb@ednet.ns.ca \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox