Re: GRE tunnel wierdness

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David Lamparter <david.lamparter@t-online.de> wrote:

> Do you have NAT / mangling / etc. running somewhere? The connection 
> tracking timeout is 500 s afaik, maybe GRE is NATed on one of your 
> gateways?
> A possible explanation would be that east does SNAT on GRE packets 
> or 
> west does DNAT on GRE ... so when east tries to reach west, the 
> packet 
> is SNAT'ed or DNAT'ed and therefore doesn't reach west, but when 
> west 
> tries to reach east, connection tracking information is set up on 
> both 
> routers so it works ... until the timeout expires.

That's is it. It actually happens when going from west to east, I just
never noticed it before.

Thanks for the clue.

Steve

ps. I know this isn't the appropiate list, but could someone see what
iptable rule needs to be changed to make this not happen(rules generated
from script found at: http://www.asgardsrealm.net/linux/firewall ).

[root@east root]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     ipv6-auth--  anywhere             anywhere           
ACCEPT     ipv6-crypt--  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED 
ACCEPT     all  --  east.somenet.com    east.somenet.com  
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http 
ACCEPT     udp  --  anywhere             anywhere           udp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:re-mail-ck 
ACCEPT     udp  --  anywhere             anywhere           udp
dpt:re-mail-ck 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:51 
ACCEPT     udp  --  anywhere             anywhere           udp dpt:51 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:47 
ACCEPT     udp  --  anywhere             anywhere           udp dpt:47 
ACCEPT     udp  --  anywhere             anywhere           udp dpt:isakmp 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https 
ACCEPT     all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere           LOG level
info prefix `FIREWALL: Filter-INPUT ' 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  192.168.1.0/24       192.168.0.0/24     
ACCEPT     all  --  192.168.0.0/24       192.168.1.0/24     
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED 
ACCEPT     all  --  192.168.2.0/24       anywhere           
ACCEPT     all  --  192.168.1.0/24       anywhere           
ACCEPT     all  --  192.168.0.0/24       anywhere           
LOG        all  --  anywhere             anywhere           LOG level
info prefix `FIREWALL: Filter-FORWARD ' 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED 
ACCEPT     all  --  192.168.0.0/24       anywhere           
ACCEPT     all  --  192.168.1.0/24       anywhere           
ACCEPT     all  --  192.168.2.0/24       anywhere           
ACCEPT     all  --  east.somenet.com    east.somenet.com  
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  somenet.com         somenet.com       
LOG        all  --  anywhere             anywhere           LOG level
info prefix `FIREWALL: Filter-OUTPUT ' 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux