Hi Dan,
On 12/21/2012 10:32 PM, Daniel Johnson wrote:
Thanks for the reply Erik.
That would be NAT. To verify, disable _all_ NAT on your box and try
again.
OK, so my next question would be what is doing the nat. Is it only going
to be iptables or could something else be doing it? And by disable all
NAT you mean just clear out any rules in the nat table?
Iptables, yes.
This step (disabling NAT) is important, because is directly verifies if
NAT is the root cause or not. Flush all iptables rules, re-add
everything that is _not_ NAT related and repeat the tcpdump test.
Since the source address is changes, SNAT should be causing this. If no
NAT at all works regarding the tcpdump test, try with DNAT, but no SNAT.
This way you can reduce the problem space.
Ip_conntrack is enabled could that be doing anything?
AFAIK not by itself.
Also the only other thing I have in the back of my mind is on the net it
appears people do a masquerade line between the lan interface and the
internet interface.
Masquerading is known as PAT (keyword "overload") in the Cisco world, if
that helps. ;-)
I do not do this, however I do SNAT any local
traffic to my public IP if its leaving to go to the internet. Is there
some auto masquerade happening which I assume is also like NAT?
No auto-masquerading unless configured.
Complete nat table list. Sorry I am not sure how to have it include the
interface in this list.
The "in" and "out" columns show the interface. An asterisk (*) stands
for every interface.
# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 77116 packets, 5866K bytes)
pkts bytes target prot opt in out source
destination
1 52 DNAT tcp -- * * 0.0.0.0/0
xxx.xxx.xxx.54 tcp dpt:8855 to:10.156.170.104
0 0 DNAT tcp -- * * 0.0.0.0/0
xxx.xxx.xxx.55 tcp dpt:5588 to:10.156.80.250
0 0 DNAT tcp -- * * 0.0.0.0/0
xxx.xxx.xxx.56 tcp dpt:5588 to:10.156.80.251
0 0 DNAT tcp -- * * 0.0.0.0/0
xxx.xxx.xxx.57 tcp dpt:5588 to:10.156.80.252
0 0 DNAT tcp -- * * 0.0.0.0/0
xxx.xxx.xxx.58 tcp dpt:5588 to:10.156.80.253
0 0 DNAT tcp -- * * 0.0.0.0/0
xxx.xxx.xxx.50 tcp dpt:2222 to:10.156.170.60
5045 257K DNAT tcp -- * * 0.0.0.0/0
xxx.xxx.xxx.234 tcp dpt:2222 to:10.156.170.60
Chain POSTROUTING (policy ACCEPT 21621 packets, 1515K bytes)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 10.96.11.20
0.0.0.0/0 LOG flags 0 level 4 prefix `NAT INMONITOR '
0 0 LOG all -- * * 0.0.0.0/0
10.96.11.20 LOG flags 0 level 4 prefix `NAT OUTMONITOR '
0 0 LOG all -- * * xxx.xxx.xxx.49
0.0.0.0/0 LOG flags 0 level 4 prefix `NAT OUTMONITOR '
0 0 SNAT tcp -- * eth0 10.0.0.0/8
SNAT for packets leaving eth0. If all traffic going out eth0 needs to be
unmodified, this line should not be there.
0.0.0.0/0 tcp dpt:8855 to:203.39.117.50
12999 691K SNAT all -- * eth1 10.0.0.0/8
SNAT for packets leaving eth1.
!xxx.xxx.xxx.48/29 to:xxx.xxx.xxx.50
Chain OUTPUT (policy ACCEPT 16397 packets, 1249K bytes)
pkts bytes target prot opt in out source
destination
#
I think your NAT configuration needs to be more specific. Consider using
the --in-interface and --out-interface options. Consider using more
specific --source and --destination specifications for (S)NAT.
Regards,
Erik
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
