Re: DNAT and VPN Tunnel problems, traffic checks in, but doesn't check out

"Daniel Beckham" <danbeck-netfilter@xxxxxxxxxxxx> · Wed, 5 Mar 2003 10:38:53 -0600

I'm sending this in html format, hoping the dump 
lines won't wrap.   LOL, also, my original message was too long, so 
I've shortened it.. sorry if you all get one of these twice.

Using the configuration you suggested 
below, (the original configuration I tried and the one that made the most 
sense to me also) I've dumped both sides of the tunnel.  Below is the 
output.   From the data below, it's obvious that any outgoing packets 
with a full payload (the payload size is 1460)

i.e. 09:29:05.797718 10.1.2.10.3969 > 
129.41.69.137.smtp: . 165:1625(1460) ack 125 win 64116 (DF)

never make it to the tunnel interface.   
This is why incoming imap appears to work just fine, but sending mail 
doesn't.

Again, this seems a bit crazy as my FORWARD chain 
specifically allows any traffic to and from eth1 and tun0.

$IPTABLES -A FORWARD -i tun+ -j 
ACCEPT        
$IPTABLES -A FORWARD -i 
tap+ -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -j ACCEPT
$IPTABLES 
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

tcpdump data:

Firewall on the local side of the tunnel: 
(tun0)

09:29:04.986164 10.1.2.10.3969 > 10.1.1.7.smtp: 
S 266730469:266730469(0) win 64240 <mss 1460,nop,nop,sackOK> 
(DF)
09:29:05.031684 10.1.1.7.smtp > 10.1.2.10.3969: S 
361700781:361700781(0) ack 266730470 win 5840 <mss 1460,nop,nop,sackOK> 
(DF)
09:29:05.032048 10.1.2.10.3969 > 10.1.1.7.smtp: . ack 1 win 64240 
(DF)
09:29:05.070314 10.1.1.7.smtp > 10.1.2.10.3969: P 1:30(29) ack 1 win 
5840 (DF)
09:29:05.071048 10.1.2.10.3969 > 10.1.1.7.smtp: P 1:15(14) ack 
30 win 64211 (DF)
09:29:05.116340 10.1.1.7.smtp > 10.1.2.10.3969: . ack 15 
win 5840 (DF)
09:29:05.117105 10.1.1.7.smtp > 10.1.2.10.3969: P 30:53(23) 
ack 15 win 5840 (DF)
09:29:05.122915 10.1.2.10.3969 > 10.1.1.7.smtp: P 
15:50(35) ack 53 win 64188 (DF)
09:29:05.158822 10.1.1.7.smtp > 
10.1.2.10.3969: P 53:61(8) ack 50 win 5840 (DF)
09:29:05.159389 
10.1.2.10.3969 > 10.1.1.7.smtp: P 50:81(31) ack 61 win 64180 
(DF)
09:29:05.199339 10.1.1.7.smtp > 10.1.2.10.3969: P 61:69(8) ack 81 win 
5840 (DF)
09:29:05.217269 10.1.2.10.3969 > 10.1.1.7.smtp: P 81:87(6) ack 
69 win 64172 (DF)
09:29:05.253722 10.1.1.7.smtp > 10.1.2.10.3969: P 
69:82(13) ack 87 win 5840 (DF)
09:29:05.461527 10.1.2.10.3969 > 
10.1.1.7.smtp: . ack 82 win 64159 (DF)
09:29:05.489089 10.1.1.7.smtp > 
10.1.2.10.3969: P 69:82(13) ack 87 win 5840 (DF)
09:29:05.489324 
10.1.2.10.3969 > 10.1.1.7.smtp: . ack 82 win 64159 (DF)
09:29:05.637836 
10.1.2.10.3969 > 10.1.1.7.smtp: P 87:93(6) ack 82 win 64159 
(DF)
09:29:05.674820 10.1.1.7.smtp > 10.1.2.10.3969: P 82:95(13) ack 93 
win 5840 (DF)
09:29:05.675137 10.1.2.10.3969 > 10.1.1.7.smtp: P 93:128(35) 
ack 95 win 64146 (DF)
09:29:05.711645 10.1.1.7.smtp > 10.1.2.10.3969: P 
95:103(8) ack 128 win 5840 (DF)
09:29:05.712153 10.1.2.10.3969 > 
10.1.1.7.smtp: P 128:159(31) ack 103 win 64138 (DF)
09:29:05.760162 
10.1.1.7.smtp > 10.1.2.10.3969: P 103:111(8) ack 159 win 5840 
(DF)
09:29:05.760485 10.1.2.10.3969 > 10.1.1.7.smtp: P 159:165(6) ack 111 
win 64130 (DF)
09:29:05.796928 10.1.1.7.smtp > 10.1.2.10.3969: P 
111:125(14) ack 165 win 5840 (DF)
09:29:05.798040 10.1.2.10.3969 > 
10.1.1.7.smtp: P 4545:4763(218) ack 125 win 64116 (DF)
09:29:05.798086 
10.1.2.10.3969 > 10.1.1.7.smtp: P 4763:4768(5) ack 125 win 64116 
(DF)
09:29:05.834350 10.1.1.7.smtp > 10.1.2.10.3969: . ack 165 win 5840 
<nop,nop,sack sack 1 {4545:4763} > (DF)
09:29:05.846786 10.1.1.7.smtp 
> 10.1.2.10.3969: . ack 165 win 5840 <nop,nop,sack sack 1 {4545:4768} > 
(DF)

Remote side of the tunnel: (tun0)

12:08:10.673521 10.1.2.10.3969 > 10.1.1.7.smtp: 
S 266730469:266730469(0) win 64240 <mss 1460,nop,nop,sackOK> 
(DF)
12:08:10.674685 10.1.1.7.smtp > 10.1.2.10.3969: S 
361700781:361700781(0) ack 266730470 win 5840 <mss 1460,nop,nop,sackOK> 
(DF)
12:08:10.718701 10.1.2.10.3969 > 10.1.1.7.smtp: . ack 1 win 64240 
(DF)
12:08:10.722990 10.1.1.7.smtp > 10.1.2.10.3969: P 1:30(29) ack 1 win 
5840 (DF)
12:08:10.761777 10.1.2.10.3969 > 10.1.1.7.smtp: P 1:15(14) ack 
30 win 64211 (DF)
12:08:10.762026 10.1.1.7.smtp > 10.1.2.10.3969: . ack 15 
win 5840 (DF)
12:08:10.762144 10.1.1.7.smtp > 10.1.2.10.3969: P 30:53(23) 
ack 15 win 5840 (DF)
12:08:10.809779 10.1.2.10.3969 > 10.1.1.7.smtp: P 
15:50(35) ack 53 win 64188 (DF)
12:08:10.810126 10.1.1.7.smtp > 
10.1.2.10.3969: P 53:61(8) ack 50 win 5840 (DF)
12:08:10.846437 
10.1.2.10.3969 > 10.1.1.7.smtp: P 50:81(31) ack 61 win 64180 
(DF)
12:08:10.851162 10.1.1.7.smtp > 10.1.2.10.3969: P 61:69(8) ack 81 win 
5840 (DF)
12:08:10.905777 10.1.2.10.3969 > 10.1.1.7.smtp: P 81:87(6) ack 
69 win 64172 (DF)
12:08:10.906068 10.1.1.7.smtp > 10.1.2.10.3969: P 
69:82(13) ack 87 win 5840 (DF)
12:08:11.139331 10.1.1.7.smtp > 
10.1.2.10.3969: P 69:82(13) ack 87 win 5840 (DF)
12:08:11.148104 
10.1.2.10.3969 > 10.1.1.7.smtp: . ack 82 win 64159 (DF)
12:08:11.177095 
10.1.2.10.3969 > 10.1.1.7.smtp: . ack 82 win 64159 (DF)
12:08:11.324853 
10.1.2.10.3969 > 10.1.1.7.smtp: P 87:93(6) ack 82 win 64159 
(DF)
12:08:11.325240 10.1.1.7.smtp > 10.1.2.10.3969: P 82:95(13) ack 93 
win 5840 (DF)
12:08:11.363484 10.1.2.10.3969 > 10.1.1.7.smtp: P 93:128(35) 
ack 95 win 64146 (DF)
12:08:11.363818 10.1.1.7.smtp > 10.1.2.10.3969: P 
95:103(8) ack 128 win 5840 (DF)
12:08:11.412066 10.1.2.10.3969 > 
10.1.1.7.smtp: P 128:159(31) ack 103 win 64138 (DF)
12:08:11.412477 
10.1.1.7.smtp > 10.1.2.10.3969: P 103:111(8) ack 159 win 5840 
(DF)
12:08:11.447083 10.1.2.10.3969 > 10.1.1.7.smtp: P 159:165(6) ack 111 
win 64130 (DF)
12:08:11.449412 10.1.1.7.smtp > 10.1.2.10.3969: P 
111:125(14) ack 165 win 5840 (DF)
12:08:11.486836 10.1.2.10.3969 > 
10.1.1.7.smtp: P 4545:4763(218) ack 125 win 64116 (DF)

Here is the interesting part:
Local side of the tunnel, but the eth1 (private 
network) interface:

09:29:04.986096 10.1.2.10.3969 > 
129.41.69.137.smtp: S 266730469:266730469(0) win 64240 <mss 
1460,nop,nop,sackOK> (DF)
09:29:05.031723 129.41.69.137.smtp > 
10.1.2.10.3969: S 361700781:361700781(0) ack 266730470 win 5840 <mss 
1460,nop,nop,sackOK> (DF)
09:29:05.032012 10.1.2.10.3969 > 
129.41.69.137.smtp: . ack 1 win 64240 (DF)
09:29:05.070351 129.41.69.137.smtp 
> 10.1.2.10.3969: P 1:30(29) ack 1 win 5840 (DF)
09:29:05.071015 
10.1.2.10.3969 > 129.41.69.137.smtp: P 1:15(14) ack 30 win 64211 
(DF)
09:29:05.116376 129.41.69.137.smtp > 10.1.2.10.3969: . ack 15 win 
5840 (DF)
09:29:05.117139 129.41.69.137.smtp > 10.1.2.10.3969: P 30:53(23) 
ack 15 win 5840 (DF)
09:29:05.122880 10.1.2.10.3969 > 129.41.69.137.smtp: 
P 15:50(35) ack 53 win 64188 (DF)
09:29:05.158861 129.41.69.137.smtp > 
10.1.2.10.3969: P 53:61(8) ack 50 win 5840 (DF)
09:29:05.159354 
10.1.2.10.3969 > 129.41.69.137.smtp: P 50:81(31) ack 61 win 64180 
(DF)
09:29:05.199376 129.41.69.137.smtp > 10.1.2.10.3969: P 61:69(8) ack 
81 win 5840 (DF)
09:29:05.217234 10.1.2.10.3969 > 129.41.69.137.smtp: P 
81:87(6) ack 69 win 64172 (DF)
09:29:05.253760 129.41.69.137.smtp > 
10.1.2.10.3969: P 69:82(13) ack 87 win 5840 (DF)
09:29:05.461468 
10.1.2.10.3969 > 129.41.69.137.smtp: . ack 82 win 64159 
(DF)
09:29:05.489124 129.41.69.137.smtp > 10.1.2.10.3969: P 69:82(13) ack 
87 win 5840 (DF)
09:29:05.489289 10.1.2.10.3969 > 129.41.69.137.smtp: . 
ack 82 win 64159 (DF)
09:29:05.637796 10.1.2.10.3969 > 129.41.69.137.smtp: 
P 87:93(6) ack 82 win 64159 (DF)
09:29:05.674856 129.41.69.137.smtp > 
10.1.2.10.3969: P 82:95(13) ack 93 win 5840 (DF)
09:29:05.675104 
10.1.2.10.3969 > 129.41.69.137.smtp: P 93:128(35) ack 95 win 64146 
(DF)
09:29:05.711681 129.41.69.137.smtp > 10.1.2.10.3969: P 95:103(8) ack 
128 win 5840 (DF)
09:29:05.712122 10.1.2.10.3969 > 129.41.69.137.smtp: P 
128:159(31) ack 103 win 64138 (DF)
09:29:05.760198 129.41.69.137.smtp > 
10.1.2.10.3969: P 103:111(8) ack 159 win 5840 (DF)
09:29:05.760453 
10.1.2.10.3969 > 129.41.69.137.smtp: P 159:165(6) ack 111 win 64130 
(DF)
09:29:05.796963 129.41.69.137.smtp > 10.1.2.10.3969: P 111:125(14) 
ack 165 win 5840 (DF)
09:29:05.797718 10.1.2.10.3969 > 129.41.69.137.smtp: 
. 165:1625(1460) ack 125 win 64116 (DF)
09:29:05.797843 10.1.2.10.3969 > 
129.41.69.137.smtp: . 1625:3085(1460) ack 125 win 64116 (DF)
09:29:05.797966 
10.1.2.10.3969 > 129.41.69.137.smtp: . 3085:4545(1460) ack 125 win 64116 
(DF)
09:29:05.797994 10.1.2.10.3969 > 129.41.69.137.smtp: P 4545:4763(218) 
ack 125 win 64116 (DF)
09:29:05.798031 10.1.2.10.3969 > 
129.41.69.137.smtp: P 4763:4768(5) ack 125 win 64116 (DF)
09:29:05.834387 
129.41.69.137.smtp > 10.1.2.10.3969: . ack 165 win 5840 <nop,nop,sack sack 
1 {4545:4763} > (DF)
09:29:05.846822 129.41.69.137.smtp > 
10.1.2.10.3969: . ack 165 win 5840 <nop,nop,sack sack 1 {4545:4768} > 
(DF)
09:29:05.847323 10.1.2.10.3969 > 129.41.69.137.smtp: . 165:1625(1460) 
ack 125 win 64116 (DF)
09:29:05.847445 10.1.2.10.3969 > 
129.41.69.137.smtp: . 1625:3085(1460) ack 125 win 64116 (DF)
09:29:05.847568 
10.1.2.10.3969 > 129.41.69.137.smtp: . 3085:4545(1460) ack 125 win 64116 
(DF)
09:29:06.555338 10.1.2.10.3969 > 129.41.69.137.smtp: . 165:1625(1460) 
ack 125 win 64116 (DF)
09:29:08.195721 10.1.2.10.3969 > 
129.41.69.137.smtp: . 165:1625(1460) ack 125 win 64116 (DF)
09:29:11.367205 
10.1.2.10.3969 > 129.41.69.137.smtp: . 165:1625(1460) ack 125 win 64116 
(DF)
09:29:17.819496 10.1.2.10.3969 > 129.41.69.137.smtp: . 165:1625(1460) 
ack 125 win 64116 (DF)
09:29:30.614817 10.1.2.10.3969 > 
129.41.69.137.smtp: . 165:1625(1460) ack 125 win 64116 (DF)