From: Petr Pisar <petr.pisar@atlas.cz>
To: netfilter@lists.netfilter.org
Subject: Re: Not NATed packets
Date: Sat, 29 Apr 2006 20:44:53 +0200 [thread overview]
Message-ID: <e30c75$sm0$1@sea.gmane.org> (raw)
In-Reply-To: <e2goe1$f34$1@sea.gmane.org>
Petr Pisar wrote:
> lukas@tank.eu.org wrote:
>
>>NAT configuration is simple but some packets are not NATed - on my
>>public interface packets with source address of my internal (NATed)
>>network appears and i have no clue what is wrong.
>
>
>>16:30:39.015880 IP (tos 0x0, ttl 127, id 28594, offset 0, flags [DF],
>>proto: TCP (6), length: 40) 10.10.10.104.3689 > 83.29.48.50.6881: F,
>>cksum 0x1623 (correct), 3885889894:3885889894(0) ack 3151418643 win 65535
>
> Exactly. I can see only FIN packets which are not translated. After
> looking into conntrack table, I think MASQ ignores FIN packets that are
> missing in conntrack table (Is it INVALID or NEW state?).
>
So, I'm able to reproduce this bug. Simply send untracked FIN pakcet
from intranet station to the Internet:
$ hping2 -c 1 -F 1.2.3.4
HPING 1.2.3.4 (eth1 1.2.3.4): F set, 40 headers + 0 data bytes
--- 1.2.3.4 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
And dump traffic on your gateway:
$ tcpdump -i ppp0 -n net 192.168.0.0/24
tcpdump: listening on ppp0
20:30:36.304397 192.168.0.2.1039 > 1.2.3.4.0: F 2063212909:2063212909(0)
win 512
> Very strange behaviour have counters too. These strange packets are not
> loggable after MASQ rule. It seems like a bug.
>
Here is my POSTROUTING chain (ppp0 is public interface):
Chain POSTROUTING (policy ACCEPT 783 packets, 126K bytes)
pkts bytes target prot opt in out source
destination
897 54437 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 2 level 4 prefix `PRE'
4531 365K MASQUERADE all -- * ppp0 0.0.0.0/0
0.0.0.0/0
38 2258 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 2 level 4 prefix `POST'
and after doing this excercise I can't see any change on counters in
POSTROUTING chain. Naturaly I can't see anything in the kernel log (as
you can see, I log everything before MASQ and after that).
I seems, these magic packets are completly bypassing POSTROUTING chain.
I found out too that TCP traffic goes inside this chain only with first
SYN packet. After that there the packets are I don't see them anymore.
Is it normal?
-- Petr
next prev parent reply other threads:[~2006-04-29 18:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-23 15:04 Not NATed packets lukas
2006-04-23 20:35 ` Petr Pisar
2006-04-24 9:55 ` lukas
2006-05-04 20:35 ` Pascal Hambourg
2006-04-29 18:44 ` Petr Pisar [this message]
2006-04-29 19:15 ` Petr Pisar
2006-05-04 22:22 ` Pascal Hambourg
2006-05-05 17:26 ` Petr Pisar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='e30c75$sm0$1@sea.gmane.org' \
--to=petr.pisar@atlas.cz \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox