Hi, christopher cuse (ccuse@xxxxxxxxxxxxxxxxxxx) wrote on 2003-10-28: > i had the same issue ... try adding to your iptables: > > iptables --append POSTROUTING --table nat --match mark \ > --mark 0x3 --jump SNAT --to-source 62.46.87.104 > > ip route flush cache I already tried that (though with a different match): > > I have also tried, unsuccessfully, to just mangle the source address > > using an iptables SNAT rule, but even though that produces correct > > network traffic, it seems to break something internally that keeps the > > TCP handshake from completing: > > > > | sophokles:~# iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source > > | 62.46.86.137 > > | sophokles:~# su - freenet > > | freenet@sophokles:~$ nc iwoars.net 22 > > | 01:30:16.448930 62.46.86.137.32849 > 217.160.110.113.22: SWE > > | 1656968486:1656968486(0) win 5840 <mss 1460,sackOK,timestamp 2356000 > > | 0,nop,wscale 0> (DF) > > | 01:30:16.516732 217.160.110.113.22 > 62.46.86.137.32849: S > > | 2293250552:2293250552(0) ack 1656968487 win 32120 <mss > > | 1460,sackOK,timestamp 313375234 2356000,nop,wscale 0> (DF) > > | 01:30:19.448146 62.46.86.137.32849 > 217.160.110.113.22: SWE > > | 1656968486:1656968486(0) win 5840 <mss 1460,sackOK,timestamp 2359000 > > | 0,nop,wscale 0> (DF) > > | 01:30:19.518099 217.160.110.113.22 > 62.46.86.137.32849: S > > | 2293250552:2293250552(0) ack 1656968487 win 32120 <mss > > | 1460,sackOK,timestamp 313375535 2356000,nop,wscale 0> (DF) > > | 01:30:19.823023 217.160.110.113.22 > 62.46.86.137.32849: S > > | 2293250552:2293250552(0) ack 1656968487 win 32120 <mss > > | 1460,sackOK,timestamp 313375566 2356000,nop,wscale 0> (DF) So, the packets go out with the correct source address, the SYN-ACK comes back from the target host, but the local IP stack then doesn't send the last ACK back because it doesn't feel that these packets belong to a local socket. That is quite understandable, since doing a netstat reveals that the socket believes it's using 192.168.1.1 as its source address (netstat output doesn't match tcpdump output from above, of course, because the tcpdump is from yesterday, but I did the same things). | freenet@sophokles:~$ netstat -ant | grep SYN_SENT | tcp 0 1 192.168.1.1:32915 217.160.110.113:22 SYN_SENT Now, with the ugly hacks mounting, I've considered something like iptables -A INPUT -i ppp0 -j DNAT --to-destination 192.168.1.1 but of course that doesn't work. At the core of the problem is still how the socket ever got to be have the local address of 192.168.1.1. I'm pretty sure netcat doesn't bind to a specific local address, so it must be something in iproute2 behaving odd. ciao, -- [*Thomas Themel*] Frankly, many of you on this list really need to [extended contact] be doused with gasoline and then lit. [info provided in] [*message header*] - Tim May on cypherpunks
Attachment:
pgp00196.pgp
Description: PGP signature
