From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: IP forwarding with MASQUERADE
Date: Fri, 03 Oct 2008 09:23:15 -0500 [thread overview]
Message-ID: <48E62AD3.9060001@riverviewtech.net> (raw)
In-Reply-To: <c88e466f0810030507x7e601d09q1034c7cc18be9b57@mail.gmail.com>
On 10/03/08 07:07, Michel Benoit wrote:
> The first box (1) is connected to the internet with ppp and thus gets
> a new dynamic address with every connection.
> The second box (2) is connected to the first box on an 192.168.0.x
> ethernet network.
>
> I can ping from (1) to (2) on the 192.168.0.x network.
> I can ping from (2) to (1) on the 192.168.0.x network.
> I can ping from (2) to (1) on the 10.x.x.x network.
> However pinging from (2) to a machine on the internet fails.
>
> The following log is produced on (1) by netfilter for the unsuccessful ping:
>
> fwd:IN=eth0 OUT=ppp0 SRC=192.168.0.183 DST=10.0.0.1 LEN=84 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=3
> msk:IN= OUT=ppp0 SRC=192.168.0.183 DST=10.0.0.1 LEN=84 TOS=0x00
> PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=3613 SE
> in:IN=ppp0 OUT= MAC= SRC=10.0.0.1 DST=10.146.88.212 LEN=84 TOS=0x08
> PREC=0x80 TTL=57 ID=46016 PROTO=ICMP TYPE=0 CODE=0 ID=36
>
> It appears that the ping is succesfully being masqueraded on the way
> out (SRC swapped from 192.168.0.183 to 10.146.88.212).
> It even looks like 10.0.0.1 is responding to the ping.
> However, it seems that the packet is not de-masqueraded and ends up
> being processed by (1) instead of being forwarded to (2) with the SRC
> swapped back to 192.168.0.183 to 10.146.88.212.
Will you please verify that the traffic is indeed being masqueraded,
possibly via TCPDump or seeing what 10.0.0.1 thinks of the traffic?
> Does anyone have any idea why this is happening?
Not as of yet. Unless the traffic is not being MASQUERADEed like it
should be. Are you applying your IPTables rules before or after the
ppp0 interface is up?
> Should there be a netfilter rule somewhere for de-masquerading?
Nope.
> How can I debug the problem? Is there a table or a file somewhere I
> can look at.
You might be able to add a logging rule to a raw table somewhere that is
processed after the MASQUERADE in the nat table's POSTROUTING chain.
> How does netfilter recognise a packet that needs to be de-masqueraded?
That is an integral part of connection tracking. In short, "It just does.".
Grant. . . .
next prev parent reply other threads:[~2008-10-03 14:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-03 12:07 IP forwarding with MASQUERADE Michel Benoit
2008-10-03 14:23 ` Grant Taylor [this message]
2008-10-07 15:58 ` Michel Benoit
2008-10-07 18:15 ` Grant Taylor
2008-10-08 16:12 ` Michel Benoit
2008-10-09 16:36 ` Michel Benoit
[not found] ` <B1254A48FE0EE04BAC4A09DD26CBF50203DA62A0@s080a1034.group.rwe.com>
[not found] ` <c88e466f0810080916x3e58de7cod018200f3b8e8c29@mail.gmail.com>
2008-10-08 16:18 ` Michel Benoit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48E62AD3.9060001@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox