Re: ipv6 forward rule after prerouting - Howto

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le 06/11/2019 à 19:50, Phil Sutter a écrit :
Hi,

On Wed, Nov 06, 2019 at 06:55:56PM +0100, Daniel Huhardeaux wrote:
Hello,

I setup prerouting rules with maps like

chain prerouting {
     type nat hook prerouting priority 0; policy accept;
     iif "ens3" ip6 saddr . tcp dport vmap @blacklist_tcp
     if "ens3" ip6 saddr . udp dport vmap @blacklist_udp
     dnat to tcp dport map @fwdtoip_tcp:tcp dport map @fwdtoport_tcp
     dnat to udp dport map @fwdtoip_udp:udp dport map @fwdtoport_udp
     ip6 daddr 2a01:729:16e:10::9998 redirect to :tcp dport map @redirect_tcp
     ip6 daddr 2a01:729:16e:10::9998 redirect to :udp dport map @redirect_udp
     ct status dnat accept
     }

Default behavior in ip6 filter forward table is to drop. This means that
my above rules are blocked, I see (u18srv being the machine who will
forward the traffic to another one):

18:32:00.476524 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
126955234, win 28640, options [mss 1432,sackOK,TS val 2255777795 ecr
0,nop,wscale 7], length 0
18:32:08.668468 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
126955234, win 28640, options [mss 1432,sackOK,TS val 2255785986 ecr
0,nop,wscale 7], length 0
18:32:24.796392 IP6 <hostname>.41174 > u18srv.12345: Flags [S], seq
126955234, win 28640, options [mss 1432,sackOK,TS val 2255802114 ecr
0,nop,wscale 7], length 0

Now if I change my default value to accept for ip6 filter forward table,
all is good.

Question: how can I add forward rule to filter table using the existing
maps which are defined in nat tables ? Other solution ?

I thought that ct status dnat accept was the key to archieve my goal,
seems not :(

Thanks for any hint

Please be aware that 'accept' verdict will only stop the packet from
traversing the current chain and any later chain may still drop the
packet. Only 'drop' verdict is final in that sense.

This I understood


So regarding your problem, I guess you have to add the 'ct state' based
accept rule to forward chain to prevent the drop policy to affect the
packet. Your prerouting chain already has an accept policy, so explicit
accepting shouldn't be needed.

I set again the default policy to drop and add the state new to the existing established,related ones. It's working too.

What I would like is to authorized state new _only_ for traffic going to ip and port which are setted in maps. Feasable ?

BTW, I just discover that my above redirect rules are not working, eg redirect port 12345 to port 25 failed with same tcpdump output as above. Any idea why ?

--
Daniel
TOOTAi Networks



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux