Some of the packets that was routed instead of masqued:
00:21:25.721875 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 45804, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.213.42938 > 35.224.170.84.80: Flags [F.], cksum 0x6a63
(correct), seq 3548801895, ack 3655548521, win 501, options
[nop,nop,TS val 1914199063 ecr 1522403623], length 0
00:21:26.268459 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 45805, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.213.42938 > 35.224.170.84.80: Flags [F.], cksum 0x6823
(correct), seq 0, ack 1, win 501, options [nop,nop,TS val 1914199639
ecr 1522403623], length 0
00:21:27.421368 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 45806, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.213.42938 > 35.224.170.84.80: Flags [F.], cksum 0x63a3
(correct), seq 0, ack 1, win 501, options [nop,nop,TS val 1914200791
ecr 1522403623], length 0
00:21:29.693301 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 45807, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.213.42938 > 35.224.170.84.80: Flags [F.], cksum 0x5ac3
(correct), seq 0, ack 1, win 501, options [nop,nop,TS val 1914203063
ecr 1522403623], length 0
00:21:34.302634 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 45808, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.213.42938 > 35.224.170.84.80: Flags [F.], cksum 0x48bf
(correct), seq 0, ack 1, win 501, options [nop,nop,TS val 1914207675
ecr 1522403623], length 0
00:21:38.272384 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 42256, offset 0, flags
[none], proto TCP (6), length 52)
10.0.0.26.61981 > 142.250.74.99.80: Flags [F.], cksum 0xed07
(correct), seq 0, ack 1, win 4096, options [nop,nop,TS val 96358724
ecr 2670615284], length 0
00:21:43.517286 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 45809, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.213.42938 > 35.224.170.84.80: Flags [F.], cksum 0x24c3
(correct), seq 0, ack 1, win 501, options [nop,nop,TS val 1914216887
ecr 1522403623], length 0
00:22:01.947697 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 45810, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.213.42938 > 35.224.170.84.80: Flags [F.], cksum 0xdcc2
(correct), seq 0, ack 1, win 501, options [nop,nop,TS val 1914235319
ecr 1522403623], length 0
00:22:38.811738 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 45811, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.213.42938 > 35.224.170.84.80: Flags [F.], cksum 0x4cc2
(correct), seq 0, ack 1, win 501, options [nop,nop,TS val 1914272183
ecr 1522403623], length 0
00:23:43.034245 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 32008, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.57832 > 142.250.74.132.443: Flags [F.], cksum 0x492f
(correct), seq 3484918907, ack 446014897, win 291, options [nop,nop,TS
val 1179797395 ecr 3393378316], length 0
00:23:43.202140 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 32009, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.57832 > 142.250.74.132.443: Flags [F.], cksum 0x4852
(correct), seq 0, ack 1, win 291, options [nop,nop,TS val 1179797616
ecr 3393378316], length 0
00:23:43.425577 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 32010, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.57832 > 142.250.74.132.443: Flags [F.], cksum 0x4772
(correct), seq 0, ack 1, win 291, options [nop,nop,TS val 1179797840
ecr 3393378316], length 0
00:23:43.897195 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 32011, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.57832 > 142.250.74.132.443: Flags [F.], cksum 0x459a
(correct), seq 0, ack 1, win 291, options [nop,nop,TS val 1179798312
ecr 3393378316], length 0
00:23:44.799626 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 32012, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.57832 > 142.250.74.132.443: Flags [F.], cksum 0x421a
(correct), seq 0, ack 1, win 291, options [nop,nop,TS val 1179799208
ecr 3393378316], length 0
00:23:46.641107 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 32013, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.57832 > 142.250.74.132.443: Flags [F.], cksum 0x3b1a
(correct), seq 0, ack 1, win 291, options [nop,nop,TS val 1179801000
ecr 3393378316], length 0
00:23:50.327206 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 32014, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.57832 > 142.250.74.132.443: Flags [F.], cksum 0x2cba
(correct), seq 0, ack 1, win 291, options [nop,nop,TS val 1179804680
ecr 3393378316], length 0
00:23:57.495718 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 32015, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.57832 > 142.250.74.132.443: Flags [F.], cksum 0x10ba
(correct), seq 0, ack 1, win 291, options [nop,nop,TS val 1179811848
ecr 3393378316], length 0
00:24:52.551099 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 32016, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.57832 > 142.250.74.132.443: Flags [F.], cksum 0xd8b9
(correct), seq 0, ack 1, win 291, options [nop,nop,TS val 1179826184
ecr 3393378316], length 0
00:25:55.448896 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 653, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.46524 > 35.244.164.0.443: Flags [F.], cksum 0x8297
(correct), seq 1286551392, ack 3788831873, win 360, options
[nop,nop,TS val 1121640525 ecr 756790798], length 0
00:25:57.751375 0c:c4:7a:fa:3d:4c > e0:ac:f1:12:c1:6a, ethertype IPv4
(0x0800), length 66: (tos 0x0, ttl 63, id 32017, offset 0, flags [DF],
proto TCP (6), length 52)
10.0.0.153.57832 > 142.250.74.132.443: Flags [F.], cksum 0x62b9
(correct), seq 0, ack 1, win 291, options [nop,nop,TS val 1179856392
ecr 3393378316], length 0
On Thu, Aug 31, 2023 at 12:46 PM Ian Kumlien <ian.kumlien@xxxxxxxxx> wrote:
>
> On Thu, Aug 31, 2023 at 11:53 AM Jan Engelhardt <jengelh@xxxxxxx> wrote:
> > On Thursday 2023-08-31 11:40, Ian Kumlien wrote:
> > >> > type filter hook forward priority 0
> > >> > ct state invalid counter drop # <- this one
> > >> >
> > >> >It just seems odd to me that traffic can go through without being NAT:ed
> > >>
> > >> MASQ requires connection tracking; if tracking is disabled for a connection,
> > >> addresses cannot be changed.
> > >
> > >I don't disable connection tracking - this is most likely a expired
> > >session that is reused and IMHO it should just be added
> >
> > "invalid" is not just invalid but also untracked (or untrackable)
> > CTs, and icmpv6-NDISC is not tracked for example (icmpv6-PING is).
>
> This was normal udp and tcp traffic...
>
> > Expired (forgotten) CTs are automatically recreated in the middle by default,
> > one needs extra rules to change the behavior (e.g. `tcp syn` test when
> > ctstate==NEW).
>
> I can do more debugging about the traffic that goes haywire, I have
> all the logs at home.
>
> But with:
> nf_conntrack_tcp_loose - BOOLEAN
> 0 - disabled
> not 0 - enabled (default)
>
> If it is set to zero, we disable picking up already established
> connections.
>
> Which is the default value:
> cat /proc/sys/net/netfilter/nf_conntrack_tcp_loose
> 1
>
> IMHO iI shouldn't have to fudge things to make conntrack pick things up again.
