From: Marc SCHAEFER <schaefer@alphanet.ch>
To: Sunny73Cr <Sunny73Cr@protonmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: nftables DNAT routes to wrong iface
Date: Sun, 26 Jan 2025 10:23:34 +0100 [thread overview]
Message-ID: <Z5X/FjHPPIHy/89n@alphanet.ch> (raw)
In-Reply-To: <o-Kdk2GAq901xVkHQ5Aru09OR2zTnTDL0Dl4V_SkKMgUtNUrTTgP_dBjqTs5qukem5k3sekFKj88zrlZYr_fzHCSaiNDq8i_7w9mz3dY1TQ=@protonmail.com>
Hello,
On Sun, Jan 26, 2025 at 06:19:23AM +0000, Sunny73Cr wrote:
> > 193.72.186.128/26 dev enp2s0.300 proto kernel scope link src 193.72.186.130
> New reply (and now public): '193.72.186.128/26' does not cover all of
> '193.72.186.0/24', and some packets will not get routed.
Why should it? The firewall 193.72.186.130 on which the DNAT is done is
connected to 193.72.186.128/26 because this is how the router
193.72.186.129 on the other side of the VLAN 300 defined that VLAN:
193.72.186.128/26 dev enp5s0.300 proto kernel scope link src 193.72.186.129
Indeed, the addresses 193.72.186.128 (reserved, subnet) to
193.72.186.191 (reserved, subnet broadcast) correspond to a
193.72.186.128/26 aka 32 - 26 = 6 free bit, so 64 addresses.
On the same VLANs there are other machines, such as 193.72.186.190 that
I used for my test.
BTW, those (193.72.186.129, 193.72.186.190) are ping-reachable from the
Internet (193.72.186.130 is currently down, as it is a test machine).
The setup works, it's just the DNAT that routes wrong for some
reason (I am an nftables beginner). Do not try random connections to
those IP addresses (ping is ok), you might trigger the IDS.
The DNAT problem is that when a machine from 193.72.186.128/26 (e.g.
193.72.186.190 in the example) sends a TCP datagram on port 8080
of 193.72.186.130, this gets correctly DNATted to 192.168.202.10
port 80, however, then the routing entry:
> 192.168.202.0/24 dev enp2s0.202 proto kernel scope link src 192.168.202.2
is not respected, and the datagram is sent on enp2s0.300.
In another case, which is 46.140.72.218:8080 (on enp2s0.400), the DNAT
correctly works and sends to 192.168.202.10 on enp2s0.202.
As said in the mail, the reply packet won't work on 193.72.186.128/26,
that's expected (not default route, and no conntrack/mark set
yet), but it's the initial packet which is routed wrong.
Thank you & have a nice day.
next prev parent reply other threads:[~2025-01-26 9:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-25 15:55 nftables DNAT routes to wrong iface Marc SCHAEFER
2025-01-26 6:19 ` Sunny73Cr
2025-01-26 9:23 ` Marc SCHAEFER [this message]
2025-01-26 9:36 ` Marc SCHAEFER
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z5X/FjHPPIHy/89n@alphanet.ch \
--to=schaefer@alphanet.ch \
--cc=Sunny73Cr@protonmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).