weird problem with ip+snat+tun0

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

i have a box with 2 real interfaces and one more virtual
eth0 - to the internet (193....
eth1 - to the local net (192.168..)
tun0 - to another ISP

the routing is: all the free/local classes i send them directly on eth0, the rest of the internet i send throw tun0
the admin from tun0 wants me to snat all the packets with my end of the ip-tun0-interface
and i snat all the trafic that go to local/free nets

the problem is that on the tun0 i see packets with source adr my eth0 and dest somewhere in the internet, and are only acks (i also see nated trafic), why????

ill start with some confs and at the end some descoveryes:

so a "ip rule" looks like:

0:      from all lookup local
32516:  from 192.168.40.0/24 lookup metro
32517:  from 192.168.40.254 lookup tunel
32518:  from 192.168.40.253 lookup tunel
..........
32765:  from 192.168.40.2 lookup tunel
32766:  from all lookup main
32767:  from all lookup default


an ip route list table metro have entres like:
84...0/17 via 193. dev eth0

an ip route list table tunel its only a default
default via 10.0.1.1 dev tun0

an the main have the directed connected nets and a def throw eth0

the iptables looks:

filter - empty
mangle - mark trafic for the tc part
nat - only
Chain POSTROUTING
  481 52825 SNAT all -- * tun0 192.168.40.0/24 0.0.0.0/0 to:10.0.1.2
  0     0 SNAT all -- * eth0 192.168.40.100 0.0.0.0/0 to:IP_IF_ETH0
........................


a tcpdump on tun0 gets
tcpdump -i tun0 -n | grep -v 10.0.1.2
IP_IF_ETH0.8181 > 24.129.71.219.42694: ack 2449728106 win 33870 (DF)
IP_IF_ETH0.8181 > 24.129.71.219.42694: ack 1 win 33870 (DF)
IP_IF_ETH0.8181 > 81.208.36.95.9195: . ack 272319646 win 65225 (DF)


so i begin to put accounting/logging rules in iptables with -s IP_IF_ETH0, i did in nat POSTROUTING, in filter OUTPUT,INPUT,FORWARD, and i got on OUTPUT

Oct 10 04:10:39 kernel: IN= OUT=eth0 SRC=IP_IF_ETH0 DST=83.175.129.103 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8181 DPT=4894 WINDOW=0 RES=0x00 ACK RST URGP=0

so its a localgenerated packet that is marked to get out on eth0, but he gets on tun0. I presumes (pls confirm) that the label of the interface is put by the output_routing, and when he gets to the OUTPUT_conntrack its marked to get out on tun0 but dont modify the label, so he dont match my rule of snat -o tun0

how can i solve the problem, i dont see how, or its the config bad, or a bug :-)))

C
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux