SNAT problem

SNAT problem

[Manu]

Hello netfilter-list,

I have an issue with iptables and SNAT:
There is a NAT gateway between internet (eth0) an LAN (eth2) ( which is 
used by 200 people )
I've 200 internet fix IP, which are DNATted and SNATted for the 
communication with the internet:

iptables version: iptables v1.4.3.2
kernel: 2.6.23.9

NAT table:

Chain PREROUTING (policy ACCEPT 37177 packets, 3389K bytes)
pkts bytes target     prot opt in     out     source               
destination
   5   211 DNAT       all  --  eth0   *       0.0.0.0/0            
80.xx.xxx.1         to:10.0.1.2
   7   684 DNAT       all  --  eth0   *       0.0.0.0/0            
80.xx.xxx.10        to:10.0.10.2
   7   352 DNAT       all  --  eth0   *       0.0.0.0/0            
80.xx.xxx.100       to:10.0.100.2
...

Chain POSTROUTING (policy ACCEPT 14096 packets, 1201K bytes)
pkts bytes target     prot opt in     out     source               
destination
   0     0 SNAT       all  --  *      eth0    10.0.1.2             
0.0.0.0/0           to:80.xx.xxx.1
   6   288 SNAT       all  --  *      eth0    10.0.10.2            
0.0.0.0/0           to:80.xx.xxx.10
   0     0 SNAT       all  --  *      eth0    10.0.100.2           
0.0.0.0/0           to:80.xx.xxx.100
...


The problem is, there are pakets which are not SNATted:
# tcpdump -i eth0 -vvn | grep "10\.0\."
tcpdump: listening on eth0
11:24:50.553928 10.0.113.2.37295 > 19.6.34.13.61201: FP 
872115062:872115483(421) ack 2241938025 win 65535 (DF) (ttl 63, id 
22860, len 461)
11:24:54.558253 10.0.113.2.52741 > 129.13.233.195.80: F [tcp sum ok] 
1253290637:1253290637(0) ack 3260788409 win 33304 <nop,nop,timestamp 
1037069524 3028764969> (DF) (ttl 63, id 8213, len 52)
11:24:54.580499 10.0.113.2.52521 > 91.18.174.3.80: F [tcp sum ok] 
2182856414:2182856414(0) ack 4017845595 win 33304 <nop,nop,timestamp 
1037069524 1576465996> (DF) (ttl 63, id 39286, len 52)
11:25:50.282005 10.0.190.2.1036 > 74.125.43.104.80: F [tcp sum ok] 
0:0(0) ack 1 win 65129 (DF) (ttl 127, id 11722, len 40)
11:27:15.940457 10.0.12.2.1346 > 195.186.17.34.80: FP 
515820442:515820987(545) ack 3832399077 win 65535 (DF) (ttl 127, id 
6881, len 585)
11:27:15.941419 10.0.12.2.1344 > 195.186.17.34.80: FP 
3713984614:3713985159(545) ack 3897104309 win 65535 (DF) (ttl 127, id 
6882, len 585)
....

What could be the reason for ignoring the SNAT rule?!
Could the performance (CPU, Memory) of the gateway be the reason of the 
prob?
CPU:800MHz
RAM: 256MB

from /proc :
# cat ip_conntrack_max
16384
# cat ip_conntrack_count
1298
# cat ip_conntrack_buckets
4096
# cat ip_conntrack_udp_timeout
30
# cat ip_conntrack_tcp_loose
1


Any help will be very appreciated!
Thx in advance!

Manu

SNAT problem

[Yevgeny Kosarzhevsky]

Hi,

I have the issue with incorrect SNAT.

I have two interfaces, let's say ppp0 - x.x.x.x, ppp1 - y.y.y.y ppp0 is 
a default gateway.
I use some command to change routing to IP z.z.z.z via ppp1:
ip ro ad to z.z.z.z dev ppp1

I have SNAT rules for both interfaces, however, I notice with tcpdump 
that outgoing packets are still using x.x.x.x instead of y.y.y.y IP, 
though packets are being sent with the correct interface (ppp1)

I have shut down ppp0 and removed SNAT rule for it, but outgoing packets 
are still showing x.x.x.x IP. Even, ip ro fl cache didn't help.

Is there anything I am doing wrongly? I suppose this is some unwanted 
behaviour.

warp:~# uname -a
Linux warp 2.6.32-5-686 #1 SMP Thu Aug 12 13:38:27 UTC 2010 i686 GNU/Linux

Re: SNAT problem

[Pascal Hambourg]

Yevgeny Kosarzhevsky a écrit :
> 
> I have two interfaces, let's say ppp0 - x.x.x.x, ppp1 - y.y.y.y ppp0 is 
> a default gateway.
> I use some command to change routing to IP z.z.z.z via ppp1:
> ip ro ad to z.z.z.z dev ppp1
> 
> I have SNAT rules for both interfaces, however, I notice with tcpdump 
> that outgoing packets are still using x.x.x.x instead of y.y.y.y IP, 
> though packets are being sent with the correct interface (ppp1)
> 
> I have shut down ppp0 and removed SNAT rule for it, but outgoing packets 
> are still showing x.x.x.x IP. Even, ip ro fl cache didn't help.

If the packets belong to an existing connection (conntrack-wise) which
was established before the route change, this behaviour is expected.
Changing the source address may break the connection.

Re: SNAT problem

[Pascal Hambourg]

Yevgeny Kosarzhevsky a écrit :
> Pascal Hambourg wrote:
>> Yevgeny Kosarzhevsky a écrit :
>>    
>>> I have two interfaces, let's say ppp0 - x.x.x.x, ppp1 - y.y.y.y ppp0 is
>>> a default gateway.
>>> I use some command to change routing to IP z.z.z.z via ppp1:
>>> ip ro ad to z.z.z.z dev ppp1
>>>
>>> I have SNAT rules for both interfaces, however, I notice with tcpdump
>>> that outgoing packets are still using x.x.x.x instead of y.y.y.y IP,
>>> though packets are being sent with the correct interface (ppp1)
>>>
>>> I have shut down ppp0 and removed SNAT rule for it, but outgoing packets
>>> are still showing x.x.x.x IP. Even, ip ro fl cache didn't help.
>>>      
>> If the packets belong to an existing connection (conntrack-wise) which
>> was established before the route change, this behaviour is expected.
>> Changing the source address may break the connection.
> 
> I have this trouble for new ipsec connections. I change route on my 
> gateway and then trying to establish ipsec connection. I see on the 
> gateway with tcpdump that the address of outgoing packets are still 
> belong to old interface.

Is the new IPSec connection to the same destination address ? If so,
then the connection tracking and NAT system may consider it is the same
connection and uses the same NAT mapping as before.

Did you wait until the old IPSec conntrack entry expires (check in
/proc/net/nf_conntrack) or try to delete it with the conntrack tool ?