From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Roman Fiedler <roman.fiedler@telbiomed.at>
Cc: netfilter@vger.kernel.org
Subject: Re: [nf-failover] conntrack questions
Date: Tue, 11 Mar 2008 12:48:27 +0100 [thread overview]
Message-ID: <47D6718B.8000905@netfilter.org> (raw)
In-Reply-To: <47BED5AF.3020006@telbiomed.at>
Roman Fiedler wrote:
> Hello Everyone,
>
> I have some problems using the conntrack application, it could be that I'm just
> conntrack options the wrong way or that my assumptions about conntracking itself
> are wrong.
>
> Testcase:
>
> * Two networks 10.0.0.0/24 and 10.0.1.0/24 separated by firewall
> * iptables firewall drops all tcp-SYN net A to B and writes log file entry
> * some DROPS are interesting, so I grep info about them from logfile
> (src,dest,ports)
> * with conntrack tool I want to create an conntrack table entry so that the
> connection is accepted and the following SYN is SNATed/DNATed to a given IP
> (currently also in net A but that could be changed)
>
> Is this possible? My iptables setup should accept all RELATED,ESTABLISHED
> packets by default and the conntrack entry should set the natting for this
> single connection and make it ACCEPTED.
>
> Currently when I use to add the connection (for testing src port is fixed to
> 1234 and dest 25, test host is 138, forbidden target 1.10, reroute host 0.77)
>
> conntrack -I conntrack -p tcp --orig-src 10.0.0.138 --orig-dst 10.0.1.10
> --reply-src 10.0.0.77 --reply-dst 10.0.0.1 --orig-port-src 1234 --orig-port-dst
> 25 --reply-port-src 25 --reply-port-dst 1234 --state SYN_SENT -u ASSURED -t 10
> --src-nat 10.0.0.1 --dst-nat 10.0.0.77
>
> With this rule the rule hit counter is incremented when sending a SYN, but ulogd
> still reports a DROP
>
> tcp 6 117 SYN_SENT src=10.0.0.138 dst=10.0.1.10 sport=1234 dport=25
> packets=1 bytes=60 [UNREPLIED] src=10.0.0.77 dst=10.0.0.1 sport=25 dport=1234
> packets=0 bytes=0 [ASSURED] mark=0 use=1
>
> ulog output:
> Feb 22 12:39:17 firewall-grz-0 Shorewall:FORWARD:DROP: IN=eth0 OUT=eth1 MAC=00
> SRC=10.0.0.138 DST=10.0.1.10 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=61556 CE DF
> PROTO=TCP SPT=1234 DPT=25 SEQ=2694492256 ACK=0 WINDOW=5840 SYN URGP=0
>
> When using LISTEN instead of SYN_SENT, the packets/bytes counter does not go up,
> but also no drop is reported and packet does not leave via any interface.
>
> Can someone give me a hint where I am wrong?
Sorry, to be honest, I don't understand what you're doing. Please,
elaborate a bit more.
--
"Los honestos son inadaptados sociales" -- Les Luthiers
next parent reply other threads:[~2008-03-11 11:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <47BED5AF.3020006@telbiomed.at>
2008-03-11 11:48 ` Pablo Neira Ayuso [this message]
2008-03-11 14:57 ` [nf-failover] conntrack questions Roman Fiedler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47D6718B.8000905@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=roman.fiedler@telbiomed.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox