simple/ubiquitous iptables NAT config no longer works

simple/ubiquitous iptables NAT config no longer works

[Pawel Karpowicz]

Hallo netfilter team.

I am running ubuntu with simple and ubiquitous NAT configuration,
taken for example from:
http://www.revsys.com/writings/quicktips/nat.html

It worked fine for ubuntu 10.04 as well as 11.04, but no longer works
for 11.10 (iptables-1.4.10).

In details, TCP connection issued from some machine behind the NAT
gets connected correctly (SYN, ACK/SYN, ACK handshake)

then HTTP request gets destination correctly.

server ACK (without data payload) to request also is correct.

Then expected server response packet with TCP payload never comes.

Description above is based on public interface sniffing (wireshark).

Do YOu know what might be the reason?

best regards,

Paul

Re: simple/ubiquitous iptables NAT config no longer works

[Marek Kierdelewicz]

Hi Paweł,

>Do YOu know what might be the reason?

Please send output of command:
sudo iptables-save

... and describe your test scenario (interfaces, hosts).

best regards,
Marek Kierdelewicz

Re: simple/ubiquitous iptables NAT config no longer works

[Pawel Karpowicz]

Hallo Marek.

> sudo iptables-save
# Generated by iptables-save v1.4.10 on Wed Oct 19 17:38:46 2011
*nat
:PREROUTING ACCEPT [13:2491]
:INPUT ACCEPT [9:1123]
:OUTPUT ACCEPT [165:10279]
:POSTROUTING ACCEPT [12:856]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 19 17:38:46 2011
# Generated by iptables-save v1.4.10 on Wed Oct 19 17:38:46 2011
*filter
:INPUT ACCEPT [6527:2777093]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4648:340419]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Completed on Wed Oct 19 17:38:46 2011

> ... and describe your test scenario (interfaces, hosts).

my ubuntu plays role of simple router. It has 2 interfaces
eth0(public), eth1(private):

eth0      Link encap:Ethernet  HWaddr 00:18:8b:04:8a:13
          inet addr:89.73.128.70  Bcast:255.255.255.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:576  Metric:1
          RX packets:8535 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4873 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3044029 (3.0 MB)  TX bytes:448928 (448.9 KB)
          Interrupt:16


eth1      Link encap:Ethernet  HWaddr 00:02:b3:8c:dc:e7
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

behind the NAT, there is one machine.

My test traffic is following command:
$ wget http://www.bmw.com/index.html
a) issued first from router ubuntu box - works fine.
b) issued from machine behind firewall -
I use wireshark/tcpdump to listen to the traffic on public (eth0) interface.

Problem:
wget from a) works fine
wget from b) does not work - packets starting from server response are
not noticed by tcpdump/wireshark. Looks like wget tries to re-init
retrieval.

prompt# date; tcpdump -n -s 1500 -i eth0 tcp port 80; date

Wed Oct 19 18:17:50 CEST 2011
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
18:17:53.946254 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [S],
seq 2077949812, win 5840, options [mss 1460,sackOK,TS val 101837 ecr
0,nop,wscale 6], length 0
18:17:53.982730 IP 92.122.50.33.80 > 89.73.128.70.51172: Flags [S.],
seq 1195734941, ack 2077949813, win 5792, options [mss 1460,sackOK,TS
val 2525069182 ecr 101837,nop,wscale 5], length 0
18:17:53.982916 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [.],
ack 1, win 92, options [nop,nop,TS val 101847 ecr 2525069182], length
0
18:17:53.983035 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [P.],
seq 1:120, ack 1, win 92, options [nop,nop,TS val 101847 ecr
2525069182], length 119
18:17:54.018370 IP 92.122.50.33.80 > 89.73.128.70.51172: Flags [.],
ack 120, win 181, options [nop,nop,TS val 2525069217 ecr 101847],
length 0
18:19:35.590503 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [S],
seq 1640370690, win 5360, options [mss 536,sackOK,TS val 639285 ecr
0,nop,wscale 4], length 0
18:19:35.643811 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [S.],
seq 2165280073, ack 1640370691, win 5672, options [mss 1430,sackOK,TS
val 1751780339 ecr 639285,nop,wscale 6], length 0
18:19:35.643879 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 1, win 335, options [nop,nop,TS val 639298 ecr 1751780339], length
0
18:19:35.644320 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [P.],
seq 1:503, ack 1, win 335, options [nop,nop,TS val 639298 ecr
1751780339], length 502
18:19:35.699378 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
ack 503, win 105, options [nop,nop,TS val 1751780395 ecr 639298],
length 0
18:19:35.706906 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
seq 1:525, ack 503, win 105, options [nop,nop,TS val 1751780402 ecr
639298], length 524
18:19:35.706944 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 525, win 401, options [nop,nop,TS val 639314 ecr 1751780402],
length 0
18:19:35.706960 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [P.],
seq 525:587, ack 503, win 105, options [nop,nop,TS val 1751780402 ecr
639298], length 62
18:19:35.706983 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 587, win 401, options [nop,nop,TS val 639314 ecr 1751780402],
length 0
18:19:35.771173 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [S],
seq 287381426, win 5360, options [mss 536,sackOK,TS val 639330 ecr
0,nop,wscale 4], length 0
18:19:35.924358 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [S.],
seq 1848400106, ack 287381427, win 5792, options [mss 1460,sackOK,TS
val 2257618069 ecr 639330,nop,wscale 9], length 0
18:19:35.924434 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
ack 1, win 335, options [nop,nop,TS val 639368 ecr 2257618069], length
0
18:19:35.924761 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [P.],
seq 1:441, ack 1, win 335, options [nop,nop,TS val 639368 ecr
2257618069], length 440
18:19:36.079514 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [.],
ack 441, win 14, options [nop,nop,TS val 2257618108 ecr 639368],
length 0
18:19:36.080648 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [P.],
seq 1:462, ack 441, win 14, options [nop,nop,TS val 2257618108 ecr
639368], length 461
18:19:36.080680 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
ack 462, win 401, options [nop,nop,TS val 639407 ecr 2257618108],
length 0
18:19:36.080708 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [P.],
seq 462:695, ack 441, win 14, options [nop,nop,TS val 2257618108 ecr
639368], length 233
18:19:36.080729 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
ack 695, win 466, options [nop,nop,TS val 639407 ecr 2257618108],
length 0
18:19:50.825213 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [F.],
seq 695, ack 441, win 14, options [nop,nop,TS val 2257621795 ecr
639407], length 0
18:19:50.861633 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
ack 696, win 466, options [nop,nop,TS val 643103 ecr 2257621795],
length 0
18:19:55.536728 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [F.],
seq 441, ack 696, win 466, options [nop,nop,TS val 644271 ecr
2257621795], length 0
18:19:55.692496 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [.],
ack 442, win 14, options [nop,nop,TS val 2257623011 ecr 644271],
length 0
18:20:20.705622 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 587, win 401, options [nop,nop,TS val 650564 ecr 1751780402],
length 0
18:20:20.772481 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
ack 503, win 105, options [nop,nop,TS val 1751825467 ecr 639314],
length 0
18:21:05.769622 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 587, win 401, options [nop,nop,TS val 661830 ecr 1751825467],
length 0
18:21:05.818528 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
ack 503, win 105, options [nop,nop,TS val 1751870511 ecr 639314],
length 0
18:21:50.817628 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 587, win 401, options [nop,nop,TS val 673092 ecr 1751870511],
length 0
18:21:50.871390 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
ack 503, win 105, options [nop,nop,TS val 1751915564 ecr 639314],
length 0
^C
33 packets captured
33 packets received by filter
0 packets dropped by kernel
Wed Oct 19 18:21:56 CEST 2011

best regards,
Pawel

Re: simple/ubiquitous iptables NAT config no longer works

[Pawel Karpowicz]

I didn't get the help so maybe I should ask someone for simple NAT
configuration for iptables v.1.4.10?

best regards


On Wed, Oct 19, 2011 at 6:29 PM, Pawel Karpowicz <mafeuser@gmail.com> wrote:
> Hallo Marek.
>
>> sudo iptables-save
> # Generated by iptables-save v1.4.10 on Wed Oct 19 17:38:46 2011
> *nat
> :PREROUTING ACCEPT [13:2491]
> :INPUT ACCEPT [9:1123]
> :OUTPUT ACCEPT [165:10279]
> :POSTROUTING ACCEPT [12:856]
> -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Wed Oct 19 17:38:46 2011
> # Generated by iptables-save v1.4.10 on Wed Oct 19 17:38:46 2011
> *filter
> :INPUT ACCEPT [6527:2777093]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [4648:340419]
> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -j ACCEPT
> COMMIT
> # Completed on Wed Oct 19 17:38:46 2011
>
>> ... and describe your test scenario (interfaces, hosts).
>
> my ubuntu plays role of simple router. It has 2 interfaces
> eth0(public), eth1(private):
>
> eth0      Link encap:Ethernet  HWaddr 00:18:8b:04:8a:13
>          inet addr:89.73.128.70  Bcast:255.255.255.255  Mask:255.255.252.0
>          UP BROADCAST RUNNING MULTICAST  MTU:576  Metric:1
>          RX packets:8535 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:4873 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:1000
>          RX bytes:3044029 (3.0 MB)  TX bytes:448928 (448.9 KB)
>          Interrupt:16
>
>
> eth1      Link encap:Ethernet  HWaddr 00:02:b3:8c:dc:e7
>          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
>          UP BROADCAST MULTICAST  MTU:1500  Metric:1
>          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:1000
>          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>
> behind the NAT, there is one machine.
>
> My test traffic is following command:
> $ wget http://www.bmw.com/index.html
> a) issued first from router ubuntu box - works fine.
> b) issued from machine behind firewall -
> I use wireshark/tcpdump to listen to the traffic on public (eth0) interface.
>
> Problem:
> wget from a) works fine
> wget from b) does not work - packets starting from server response are
> not noticed by tcpdump/wireshark. Looks like wget tries to re-init
> retrieval.
>
> prompt# date; tcpdump -n -s 1500 -i eth0 tcp port 80; date
>
> Wed Oct 19 18:17:50 CEST 2011
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
> 18:17:53.946254 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [S],
> seq 2077949812, win 5840, options [mss 1460,sackOK,TS val 101837 ecr
> 0,nop,wscale 6], length 0
> 18:17:53.982730 IP 92.122.50.33.80 > 89.73.128.70.51172: Flags [S.],
> seq 1195734941, ack 2077949813, win 5792, options [mss 1460,sackOK,TS
> val 2525069182 ecr 101837,nop,wscale 5], length 0
> 18:17:53.982916 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [.],
> ack 1, win 92, options [nop,nop,TS val 101847 ecr 2525069182], length
> 0
> 18:17:53.983035 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [P.],
> seq 1:120, ack 1, win 92, options [nop,nop,TS val 101847 ecr
> 2525069182], length 119
> 18:17:54.018370 IP 92.122.50.33.80 > 89.73.128.70.51172: Flags [.],
> ack 120, win 181, options [nop,nop,TS val 2525069217 ecr 101847],
> length 0
> 18:19:35.590503 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [S],
> seq 1640370690, win 5360, options [mss 536,sackOK,TS val 639285 ecr
> 0,nop,wscale 4], length 0
> 18:19:35.643811 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [S.],
> seq 2165280073, ack 1640370691, win 5672, options [mss 1430,sackOK,TS
> val 1751780339 ecr 639285,nop,wscale 6], length 0
> 18:19:35.643879 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
> ack 1, win 335, options [nop,nop,TS val 639298 ecr 1751780339], length
> 0
> 18:19:35.644320 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [P.],
> seq 1:503, ack 1, win 335, options [nop,nop,TS val 639298 ecr
> 1751780339], length 502
> 18:19:35.699378 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
> ack 503, win 105, options [nop,nop,TS val 1751780395 ecr 639298],
> length 0
> 18:19:35.706906 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
> seq 1:525, ack 503, win 105, options [nop,nop,TS val 1751780402 ecr
> 639298], length 524
> 18:19:35.706944 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
> ack 525, win 401, options [nop,nop,TS val 639314 ecr 1751780402],
> length 0
> 18:19:35.706960 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [P.],
> seq 525:587, ack 503, win 105, options [nop,nop,TS val 1751780402 ecr
> 639298], length 62
> 18:19:35.706983 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
> ack 587, win 401, options [nop,nop,TS val 639314 ecr 1751780402],
> length 0
> 18:19:35.771173 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [S],
> seq 287381426, win 5360, options [mss 536,sackOK,TS val 639330 ecr
> 0,nop,wscale 4], length 0
> 18:19:35.924358 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [S.],
> seq 1848400106, ack 287381427, win 5792, options [mss 1460,sackOK,TS
> val 2257618069 ecr 639330,nop,wscale 9], length 0
> 18:19:35.924434 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
> ack 1, win 335, options [nop,nop,TS val 639368 ecr 2257618069], length
> 0
> 18:19:35.924761 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [P.],
> seq 1:441, ack 1, win 335, options [nop,nop,TS val 639368 ecr
> 2257618069], length 440
> 18:19:36.079514 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [.],
> ack 441, win 14, options [nop,nop,TS val 2257618108 ecr 639368],
> length 0
> 18:19:36.080648 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [P.],
> seq 1:462, ack 441, win 14, options [nop,nop,TS val 2257618108 ecr
> 639368], length 461
> 18:19:36.080680 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
> ack 462, win 401, options [nop,nop,TS val 639407 ecr 2257618108],
> length 0
> 18:19:36.080708 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [P.],
> seq 462:695, ack 441, win 14, options [nop,nop,TS val 2257618108 ecr
> 639368], length 233
> 18:19:36.080729 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
> ack 695, win 466, options [nop,nop,TS val 639407 ecr 2257618108],
> length 0
> 18:19:50.825213 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [F.],
> seq 695, ack 441, win 14, options [nop,nop,TS val 2257621795 ecr
> 639407], length 0
> 18:19:50.861633 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
> ack 696, win 466, options [nop,nop,TS val 643103 ecr 2257621795],
> length 0
> 18:19:55.536728 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [F.],
> seq 441, ack 696, win 466, options [nop,nop,TS val 644271 ecr
> 2257621795], length 0
> 18:19:55.692496 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [.],
> ack 442, win 14, options [nop,nop,TS val 2257623011 ecr 644271],
> length 0
> 18:20:20.705622 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
> ack 587, win 401, options [nop,nop,TS val 650564 ecr 1751780402],
> length 0
> 18:20:20.772481 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
> ack 503, win 105, options [nop,nop,TS val 1751825467 ecr 639314],
> length 0
> 18:21:05.769622 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
> ack 587, win 401, options [nop,nop,TS val 661830 ecr 1751825467],
> length 0
> 18:21:05.818528 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
> ack 503, win 105, options [nop,nop,TS val 1751870511 ecr 639314],
> length 0
> 18:21:50.817628 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
> ack 587, win 401, options [nop,nop,TS val 673092 ecr 1751870511],
> length 0
> 18:21:50.871390 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
> ack 503, win 105, options [nop,nop,TS val 1751915564 ecr 639314],
> length 0
> ^C
> 33 packets captured
> 33 packets received by filter
> 0 packets dropped by kernel
> Wed Oct 19 18:21:56 CEST 2011
>
> best regards,
> Pawel
>

Re: simple/ubiquitous iptables NAT config no longer works

[Mike Wright]

On 10/26/2011 10:22 AM, Pawel Karpowicz wrote:
> I didn't get the help so maybe I should ask someone for simple NAT
> configuration for iptables v.1.4.10?
>
>> my ubuntu plays role of simple router. It has 2 interfaces
>> eth0(public), eth1(private):
>>
>> eth0      Link encap:Ethernet  HWaddr 00:18:8b:04:8a:13
>>           inet addr:89.73.128.70  Bcast:255.255.255.255  Mask:255.255.252.0
>>           UP BROADCAST RUNNING MULTICAST  MTU:576  Metric:1
>>           RX packets:8535 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:4873 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000
>>           RX bytes:3044029 (3.0 MB)  TX bytes:448928 (448.9 KB)
>>           Interrupt:16
>>
>>
>> eth1      Link encap:Ethernet  HWaddr 00:02:b3:8c:dc:e7
>>           inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
>>           UP BROADCAST MULTICAST  MTU:1500  Metric:1
>>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000
>>           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
>>
>> behind the NAT, there is one machine.

Maybe this will work?

In the nat table:

-A PREROUTING -i eth0 -j DNAT --to-destination 192.168.10.1
-A POSTROUTING -o eth0 -j SNAT --to-source 89.73.128.70

You must also enable forwarding.

I don't know Ubuntu but in Redhat that's

echo 1 > /proc/sys/net/ipv4/ip_forward (temporary)

-- or --

in /etc/sysctl.conf

net.ipv4.ip_forward = 1  (permanent)

hth,
Mike Wright