Re: Trouble redirecting traffic on transparent bridge.

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Ok I gave br0 an IP.  Now I have a new problem.  When the client tries to access a webserver the traffic redirected to the ip on the bridge to the local web server.  However, the traffic going back to the client machine from the web server has a source port of 1, this isn't what the client expects so it rejects it.  Here's a tethereal dump of eth2, the interface on the bridge between the client and the bridge:

172.16.110.139 is client, 64.233.187.104 is google.com

 10.841477 172.16.110.139 -> 64.233.187.104 TCP 2684 > http [FIN, ACK] Seq=0 Ack=0 Win=65535 Len=0
 10.841661 64.233.187.104 -> 172.16.110.139 TCP tcpmux > 2684 [ACK] Seq=0 Ack=0 Win=6432 Len=0
 10.841853 172.16.110.139 -> 64.233.187.104 TCP 2684 > tcpmux [RST] Seq=0 Ack=2730207901 Win=0 Len=0
 10.844408 64.233.187.104 -> 172.16.110.139 TCP [TCP ACKed lost segment] http > 2684 [RST, ACK] Seq=2730208227 Ack=2 Win=0 Len=0
 10.868209 172.16.110.139 -> 64.233.187.104 TCP 2685 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460
 10.868384 64.233.187.104 -> 172.16.110.139 TCP http > 2685 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
 10.868584 172.16.110.139 -> 64.233.187.104 TCP 2685 > http [ACK] Seq=1 Ack=1 Win=65535 Len=0
 10.881201 172.16.110.139 -> 64.233.187.104 HTTP GET /index.html HTTP/1.1
 10.881635 64.233.187.104 -> 172.16.110.139 TCP tcpmux > 2685 [ACK] Seq=0 Ack=0 Win=6432 Len=0
 10.881824 172.16.110.139 -> 64.233.187.104 TCP 2685 > tcpmux [RST] Seq=0 Ack=562108981 Win=0 Len=0
 10.882135 64.233.187.104 -> 172.16.110.139 TCP tcpmux > 2685 [PSH, ACK] Seq=0 Ack=0 Win=6432 Len=325
 10.882324 172.16.110.139 -> 64.233.187.104 TCP 2685 > tcpmux [RST] Seq=0 Ack=562108981 Win=0 Len=0
 10.883252 64.233.187.104 -> 172.16.110.139 TCP [TCP ACKed lost segment] [TCP Previous segment lost] http > 2685 [RST, ACK] Seq=562108982 Ack=491 Win=0 Len=0
 10.883268 64.233.187.104 -> 172.16.110.139 TCP http > 2685 [RST, ACK] Seq=562108982 Ack=491 Win=0 Len=0
 13.851777 172.16.110.139 -> 64.233.187.104 HTTP [TCP ZeroWindowViolation] [TCP Out-Of-Order] GET /index.html HTTP/1.1
 13.852239 64.233.187.104 -> 172.16.110.139 TCP [TCP Dup ACK 11#1] tcpmux > 2685 [ACK] Seq=325 Ack=0 Win=6432 Len=0 SLE=4294966807 SRE=0
 13.852403 172.16.110.139 -> 64.233.187.104 TCP 2685 > tcpmux [RST] Seq=0 Ack=562108981 Win=0 Len=0
 13.853102 64.233.187.104 -> 172.16.110.139 TCP http > 2685 [RST, ACK] Seq=562108982 Ack=491 Win=0 Len=0
 13.881844 64.233.187.104 -> 172.16.110.139 TCP [TCP Retransmission] tcpmux > 2685 [PSH, ACK] Seq=0 Ack=0 Win=6432 Len=325
 13.882009 172.16.110.139 -> 64.233.187.104 TCP 2685 > tcpmux [RST] Seq=0 Ack=562108981 Win=0 Len=0
 13.882705 64.233.187.104 -> 172.16.110.139 TCP http > 2685 [RST, ACK] Seq=562108982 Ack=491 Win=0 Len=0
 19.859637 172.16.110.139 -> 64.233.187.104 HTTP [TCP ZeroWindowViolation] [TCP Out-Of-Order] GET /index.html HTTP/1.1
 19.860007 64.233.187.104 -> 172.16.110.139 TCP [TCP Dup ACK 11#2] tcpmux > 2685 [ACK] Seq=325 Ack=0 Win=6432 Len=0 SLE=4294966807 SRE=0
 19.860139 172.16.110.139 -> 64.233.187.104 TCP 2685 > tcpmux [RST] Seq=0 Ack=562108981 Win=0 Len=0
 19.860874 64.233.187.104 -> 172.16.110.139 TCP http > 2685 [RST, ACK] Seq=562108982 Ack=491 Win=0 Len=0
 19.882250 64.233.187.104 -> 172.16.110.139 TCP [TCP Retransmission] tcpmux > 2685 [PSH, ACK] Seq=0 Ack=0 Win=6432 Len=325
 19.882496 172.16.110.139 -> 64.233.187.104 TCP 2685 > tcpmux [RST] Seq=0 Ack=562108981 Win=0 Len=0
 19.883111 64.233.187.104 -> 172.16.110.139 TCP http > 2685 [RST, ACK] Seq=562108982 Ack=491 Win=0 Len=0

#ip route
192.168.200.0/24 dev br0  proto kernel  scope link  src 192.168.200.1 
172.16.110.0/23 dev eth0  proto kernel  scope link  src 172.16.110.150 
127.0.0.0/8 dev lo  scope link 
default via 172.16.111.254 dev eth0  metric 1

# iptables -n -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination          
DNAT       all  --  172.16.110.139       64.233.187.104      to:192.168.200.1 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.200.1        172.16.110.139      to:64.233.187.104 
 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Any ideas on what's going on?  Why would the source port change?

----- Original Message -----
From: "Jeffrey B. Ferland" <jeff@xxxxxxxxxxxxxxx>
To: "Kran Kor" <krankor@xxxxxxxxxxxxx>
Subject: Re:  Trouble redirecting traffic on transparent bridge.
Date: Sat, 3 Dec 2005 10:35:06 -0500

> 
> <Lots of snippage>
> >
> >> From nat:
> > -A PREROUTING -s $CLIENT_IP -p tcp -m tcp --dport 80 -j DNAT 
> > --to- destination 127.0.0.1:80
> >
> > But the kernel sees the traffic as "martian" and disards them:
> > Dec  1 15:09:45 xxxxxxxx last message repeated 9 times
> > Dec  1 15:11:37 xxxxxxxx kernel: martian destination 127.0.0.1 
> > from  172.16.110.139, dev br0
> > Dec  1 15:11:46 xxxxxxxx last message repeated 2 times
> >
> 
> The above part is what really matters... you can't with a source  
> address of 127.0.0.1 to any other host.
> 
> If you're so inclined, the source code making this check is  
> apparently in route.c
> 
> Give br0 an IP address, and redirect to that address. (eth1 and 
> eth2  as part of a bridge don't get ips)
> 
> -Jeff
> SIG: HUP


-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux