Conntrack, nat and multipath - what is wrong here?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have a gentoo 2.6.14 box with 4 nics, LAN/DMZ/PUB1/PUB2

LAN and DMZ have a 1918 /22 each, PUB1 and PUB2 have a /29 each of which 5 ips 
are assigned.

Using the mangle table, I give all packets a mark (according to local 
policies) in the range 1-10. Using ip rule, i pass marks 1-5 through the pub1 
route table, and marks 6-10 through the pub2 routing table. Using the nat 
table, I SNAT to one of the 10 IPs assigned from the two /29's.


1) Now, if i remove the default route (via PUB1 gw) from the main table, 
everything halts. Why? 


2) If I pass a forwarded tcp syn packet out on the PUB2 interface, with the 
correct SNAT ip, I can see the syn+ack returning from the external server. 
Logging then indicates that this packet gets passed through 
mangle/PREROUTING, after which it appears to simply be lost. It's definitely 
not going out on any of the 4 NICs. This contrasts with packets being passed 
out on PUB1, where everything works fine, conntrack recognizes the syn+ack 
and the reply gets correctly forwarded to the LAN box i'm using to test. It 
*seems* like conntrack simply is not able to match the incoming syn+ack with 
the outgoing syn. BUT, if i try to connect to the dsl router on PUB2, 
everything's fine. I suspect i got something very wrong with my routing 
rules/tables, but I can't figure out what.



Addresses shown are sanitized, 1.1.1.136/29 is PUB1, 2.2.2.116/29 is PUB2, 
3.3.3.* is the external server i've been testing against.

eth0: LAN
eth1: DMZ
eth2: PUB2
eth3: PUB1




eos ~ # ip rule show
0:      from all lookup local
30000:  from all fwmark 0x1 lookup pub1
30000:  from all fwmark 0x2 lookup pub1
30000:  from all fwmark 0x3 lookup pub1
30000:  from all fwmark 0x4 lookup pub1
30000:  from all fwmark 0x5 lookup pub1
30000:  from all fwmark 0x6 lookup pub2
30000:  from all fwmark 0x7 lookup pub2
30000:  from all fwmark 0x8 lookup pub2
30000:  from all fwmark 0x9 lookup pub2
30000:  from all fwmark 0xa lookup pub2
31000:  from 1.1.1.139 lookup pub1
31000:  from 1.1.1.140 lookup pub1
31000:  from 1.1.1.141 lookup pub1
31000:  from 1.1.1.142 lookup pub1
31000:  from 1.1.1.137 lookup pub1
31000:  from 2.2.2.218 lookup pub2
31000:  from 2.2.2.219 lookup pub2
31000:  from 2.2.2.220 lookup pub2
31000:  from 2.2.2.221 lookup pub2
31000:  from 2.2.2.222 lookup pub2
33000:  from all lookup main

eos ~ # ip route show table pub1
1.1.1.136/29 dev eth3  scope link  src 1.1.1.139
2.2.2.216/29 dev eth2  scope link  src 2.2.2.218
192.168.4.0/22 dev eth1  scope link  src 192.168.4.1
192.168.0.0/22 dev eth0  scope link  src 192.168.0.1
127.0.0.0/8 dev lo  scope link
default via 1.1.1.138 dev eth3

eos ~ # ip route show table pub2
1.1.1.136/29 dev eth3  scope link  src 1.1.1.139
2.2.2.216/29 dev eth2  scope link  src 2.2.2.218
192.168.4.0/22 dev eth1  scope link  src 192.168.4.1
192.168.0.0/22 dev eth0  scope link  src 192.168.0.1
127.0.0.0/8 dev lo  scope link
default via 2.2.2.217 dev eth2

eos ~ # ip route show table main
1.1.1.136/29 dev eth3  proto kernel  scope link  src 1.1.1.139
2.2.2.216/29 dev eth2  proto kernel  scope link  src 2.2.2.218
192.168.4.0/22 dev eth1  proto kernel  scope link  src 192.168.4.1
192.168.0.0/22 dev eth0  proto kernel  scope link  src 192.168.0.1
127.0.0.0/8 dev lo  scope link
default via 1.1.1.138 dev eth3

eos ~ # iptables -t filter -nvL
Chain INPUT (policy ACCEPT 5314 packets, 2615K bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `filter/INPUT:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `filter/INPUT:'

Chain FORWARD (policy ACCEPT 184K packets, 162M bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `filter/FORWARD:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `filter/FORWARD:'

Chain OUTPUT (policy ACCEPT 2261 packets, 277K bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `filter/OUTPUT:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `filter/OUTPUT:'

eos ~ # iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 188K packets, 165M bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/PREROUTING:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/PREROUTING:'
    2   468 MARK14     all  --  *      *       0.0.0.0/0            
192.168.4.0/22      state NEW
 2903 2444K MARK13     all  --  *      *       0.0.0.0/0            
192.168.0.0/22      state NEW
   60  6098 MARK12     all  --  *      *       0.0.0.0/0            
1.1.1.136/29     state NEW
 1692  136K MARK11     all  --  *      *       0.0.0.0/0            
2.2.2.216/29   state NEW
    0     0 MARK6      tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 state NEW
  109  5232 MARK6      tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:119 state NEW
   54  2592 MARK6      tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:119 state NEW
    0     0 MARK2      all  --  *      *       192.168.1.20         
213.239.111.0/29    state NEW
 3223  243K MARK10     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
state NEW
 1054 66052 MARK1      all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
state NEW

Chain INPUT (policy ACCEPT 5409 packets, 2648K bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/INPUT:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/INPUT:'

Chain FORWARD (policy ACCEPT 188K packets, 165M bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/FORWARD:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/FORWARD:'

Chain OUTPUT (policy ACCEPT 2302 packets, 283K bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/OUTPUT:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/OUTPUT:'

Chain POSTROUTING (policy ACCEPT 190K packets, 165M bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/POSTROUTING:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/POSTROUTING:'

Chain MARK1 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK1:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK1:'
 1054 66052 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0x1
 1054 66052 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK10 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK10:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK10:'
 3223  243K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0xa
 3223  243K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK11 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK11:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK11:'
 1692  136K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0xb
 1692  136K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK12 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK12:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK12:'
   60  6098 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0xc
   60  6098 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK13 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK13:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK13:'
 2903 2444K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0xd
 2903 2444K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK14 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK14:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK14:'
    2   468 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0xe
    2   468 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK2 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK2:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK2:'
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0x2
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK3 (0 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK3:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK3:'
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0x3
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK4 (0 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK4:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK4:'
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0x4
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK5 (0 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK5:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK5:'
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0x5
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK6 (3 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK6:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK6:'
  163  7824 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0x6
  163  7824 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK7 (0 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK7:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK7:'
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0x7
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK8 (0 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK8:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK8:'
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0x8
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MARK9 (0 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `mangle/MARK9:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `mangle/MARK9:'
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK set 0x9
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

eos ~ # iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 5623 packets, 453K bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/PREROUTING:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/PREROUTING:'

Chain POSTROUTING (policy ACCEPT 10 packets, 607 bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/POSTROUTING:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/POSTROUTING:'
 1053 66000 SNAT_1     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x1
    0     0 SNAT_2     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x2
    0     0 SNAT_3     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x3
    0     0 SNAT_4     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x4
    0     0 SNAT_5     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x5
  168  8064 SNAT_6     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x6
    0     0 SNAT_7     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x7
    0     0 SNAT_8     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x8
    0     0 SNAT_9     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x9
 2606  211K SNAT_10    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0xa
    0     0 SNAT_11    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0xb
    0     0 SNAT_12    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0xc

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/OUTPUT:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/OUTPUT:'

Chain SNAT_1 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_1:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_1:'
 1053 66000 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:1.1.1.139
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_10 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_10:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_10:'
 2606  211K SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:2.2.2.222
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_11 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_11:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_11:'
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:2.2.2.218
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_12 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_12:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_12:'
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:1.1.1.139
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_13 (0 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_13:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_13:'
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_14 (0 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_14:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_14:'
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_2 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_2:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_2:'
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:1.1.1.140
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_3 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_3:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_3:'
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:1.1.1.141
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_4 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_4:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_4:'
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:1.1.1.142
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_5 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_5:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_5:'
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:1.1.1.137
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_6 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_6:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_6:'
  168  8064 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:2.2.2.218
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_7 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_7:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_7:'
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:2.2.2.219
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_8 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_8:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_8:'
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:2.2.2.220
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SNAT_9 (1 references)
 pkts bytes target     prot opt in     out     source               
destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp spt:25 LOG flags 0 level 4 prefix `nat/SNAT_9:'
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
tcp dpt:25 LOG flags 0 level 4 prefix `nat/SNAT_9:'
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
to:2.2.2.221
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0



Logging/tcpdump from an attempt to connect to port 25 on a remote server:
Apr  9 21:55:47 eos mangle/PREROUTING:IN=eth0 OUT= 
MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=3.3.3.228 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 
WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:55:47 eos mangle/MARK6:IN=eth0 OUT= 
MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=3.3.3.228 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 
WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:55:47 eos nat/PREROUTING:IN=eth0 OUT= 
MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=3.3.3.228 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 
WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:55:47 eos mangle/FORWARD:IN=eth0 OUT=eth2 SRC=192.168.1.20 
DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=41341 DF PROTO=TCP 
SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:55:47 eos filter/FORWARD:IN=eth0 OUT=eth2 SRC=192.168.1.20 
DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=41341 DF PROTO=TCP 
SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:55:47 eos mangle/POSTROUTING:IN= OUT=eth2 SRC=192.168.1.20 
DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=41341 DF PROTO=TCP 
SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:55:47 eos nat/POSTROUTING:IN= OUT=eth2 SRC=192.168.1.20 
DST=3.3.3.228 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=41341 DF PROTO=TCP 
SPT=53218 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:55:47 eos nat/SNAT_6:IN= OUT=eth2 SRC=192.168.1.20 DST=3.3.3.228 
LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=41341 DF PROTO=TCP SPT=53218 DPT=25 
WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:55:48 eos mangle/PREROUTING:IN=eth2 OUT= 
MAC=00:08:a1:90:aa:a1:00:14:7f:03:e5:1c:08:00 SRC=3.3.3.228 DST=2.2.2.218 
LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=25 DPT=53218 
WINDOW=5792 RES=0x00 ACK SYN URGP=0
Apr  9 21:55:52 eos mangle/PREROUTING:IN=eth2 OUT= 
MAC=00:08:a1:90:aa:a1:00:14:7f:03:e5:1c:08:00 SRC=3.3.3.228 DST=2.2.2.218 
LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=25 DPT=53218 
WINDOW=5792 RES=0x00 ACK SYN URGP=0

tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
21:55:47.998524 IP (tos 0x10, ttl  63, id 41341, offset 0, flags [DF], proto: 
TCP (6), length: 60) 2.2.2.218.53218 > 3.3.3.228.25: S, cksum 0x6efb 
(correct), 2404082705:2404082705(0) win 5840 <mss 1460,sackOK,timestamp 
2365113708 0,nop,wscale 2>
21:55:48.179397 IP (tos 0x0, ttl  51, id 0, offset 0, flags [DF], proto: TCP 
(6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0x0b36 (correct), 
58918797:58918797(0) ack 2404082706 win 5792 <mss 1452,sackOK,timestamp 
1736175970 2365113708,nop,wscale 0>
21:55:52.175813 IP (tos 0x0, ttl  51, id 0, offset 0, flags [DF], proto: TCP 
(6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0xfb9a (correct), 
58918797:58918797(0) ack 2404082706 win 5792 <mss 1452,sackOK,timestamp 
1736179965 2365113708,nop,wscale 0>
21:55:58.175073 IP (tos 0x0, ttl  51, id 0, offset 0, flags [DF], proto: TCP 
(6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0xe42a (correct), 
58918797:58918797(0) ack 2404082706 win 5792 <mss 1452,sackOK,timestamp 
1736185965 2365113708,nop,wscale 0>
21:55:58.775150 IP (tos 0x0, ttl  51, id 0, offset 0, flags [DF], proto: TCP 
(6), length: 60) 3.3.3.228.25 > 2.2.2.218.53217: S, cksum 0xc92d (correct), 
4258850729:4258850729(0) ack 2314333557 win 5792 <mss 1452,sackOK,timestamp 
1736186565 2365030295,nop,wscale 0>
21:56:10.177052 IP (tos 0x0, ttl  51, id 0, offset 0, flags [DF], proto: TCP 
(6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0xb54a (correct), 
58918797:58918797(0) ack 2404082706 win 5792 <mss 1452,sackOK,timestamp 
1736197965 2365113708,nop,wscale 0>


Logging/tcpdump from an attempt to connect to port 25 on the PUB2 dsl router, 
this works:
Apr  9 21:56:52 eos mangle/PREROUTING:IN=eth0 OUT= 
MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=2.2.2.217 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 
WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:56:52 eos mangle/MARK11:IN=eth0 OUT= 
MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=2.2.2.217 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 
WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:56:52 eos nat/PREROUTING:IN=eth0 OUT= 
MAC=00:40:f4:6b:6c:c1:00:01:02:1c:6f:29:08:00 SRC=192.168.1.20 DST=2.2.2.217 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 
WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:56:52 eos mangle/FORWARD:IN=eth0 OUT=eth2 SRC=192.168.1.20 
DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=34524 DF PROTO=TCP 
SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:56:52 eos filter/FORWARD:IN=eth0 OUT=eth2 SRC=192.168.1.20 
DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=34524 DF PROTO=TCP 
SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:56:52 eos mangle/POSTROUTING:IN= OUT=eth2 SRC=192.168.1.20 
DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=34524 DF PROTO=TCP 
SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:56:52 eos nat/POSTROUTING:IN= OUT=eth2 SRC=192.168.1.20 
DST=2.2.2.217 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=34524 DF PROTO=TCP 
SPT=55398 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:56:52 eos nat/SNAT_11:IN= OUT=eth2 SRC=192.168.1.20 DST=2.2.2.217 
LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=34524 DF PROTO=TCP SPT=55398 DPT=25 
WINDOW=5840 RES=0x00 SYN URGP=0
Apr  9 21:56:52 eos mangle/PREROUTING:IN=eth2 OUT= 
MAC=00:08:a1:90:aa:a1:00:14:7f:03:e5:1c:08:00 SRC=2.2.2.217 DST=2.2.2.218 
LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=46172 PROTO=TCP SPT=25 DPT=55398 WINDOW=0 
RES=0x00 ACK RST URGP=0
Apr  9 21:56:52 eos mangle/FORWARD:IN=eth2 OUT=eth0 SRC=2.2.2.217 
DST=192.168.1.20 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=46172 PROTO=TCP SPT=25 
DPT=55398 WINDOW=0 RES=0x00 ACK RST URGP=0
Apr  9 21:56:52 eos filter/FORWARD:IN=eth2 OUT=eth0 SRC=2.2.2.217 
DST=192.168.1.20 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=46172 PROTO=TCP SPT=25 
DPT=55398 WINDOW=0 RES=0x00 ACK RST URGP=0
Apr  9 21:56:52 eos mangle/POSTROUTING:IN= OUT=eth0 SRC=2.2.2.217 
DST=192.168.1.20 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=46172 PROTO=TCP SPT=25 
DPT=55398 WINDOW=0 RES=0x00 ACK RST URGP=0


tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
21:56:52.306357 IP (tos 0x10, ttl  63, id 34524, offset 0, flags [DF], proto: 
TCP (6), length: 60) 2.2.2.218.55398 > 2.2.2.217.25: S, cksum 0xaa49 
(correct), 2474919495:2474919495(0) win 5840 <mss 1460,sackOK,timestamp 
2365178011 0,nop,wscale 2>
21:56:52.306836 IP (tos 0x0, ttl  64, id 46172, offset 0, flags [none], proto: 
TCP (6), length: 40) 2.2.2.217.25 > 2.2.2.218.55398: R, cksum 0x7679 
(correct), 0:0(0) ack 2474919496 win 0
21:57:22.589506 IP (tos 0x0, ttl  51, id 0, offset 0, flags [DF], proto: TCP 
(6), length: 60) 3.3.3.228.25 > 2.2.2.218.53218: S, cksum 0x9a78 (correct), 
58918797:58918797(0) ack 2404082706 win 5792 <mss 1452,sackOK,timestamp 
1736270366 2365113708,nop,wscale 0>



--E.S. Johansen

Attachment: pgpEH4Fzj0cAV.pgp
Description: PGP signature

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux