RE: UnNATing return packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The LOG rules I put in PREROUTING and POSTROUTING aren't logging
anything!?! But I also put one in FORWARD and its logging the packets as
coming from the address DNAT change the original packets to go to and
destined for the original source address. This must mean the SNAT has
been undone when the return packets hit the FORWARD chain but the DNAT
will not be undone until the packets reach the POSTROUTING chain. This
seems like a bug to me, I would expect all NAT to be undone before any
routing takes place ideally before the prerouting chain.

I guess I will have to think of another way to implement multiple
incoming lines. Any suggestions would be appreciated. My first idea is
to run a UML instance so incoming packets go through the main linux
instance and are routed to the UML instance that NATs them, thus on the
return they are unNATed by the UML and passed to the main instance for
source routing. It sounds really nasty...

Tim

> -----Original Message-----
> From: George Vieira [mailto:georgev@xxxxxxxxxxxxxxxxxxxxxx] 
> Sent: 22 May 2003 22:49
> To: Tim Saunders; netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: RE: UnNATing return packets
> 
> 
> In the prerouting stage I assume because that is the place 
> where DNAT takes place. Also take note they say "PREROUTING" 
> for a good reason though I haven't tested it with iproute2 
> and source routing but I assume they are in the same level. 
> Just remember that POSTROUTING is after the routing table.. 
> as it says in it's name (he he, gotta love those netfilter 
> developers)..
> 
> Add some LOG rules matching both sets of IPs your testing.
> 
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@xxxxxxxxxxxxxxxxxxxxxx
> 
> Citadel Computer Systems Pty Ltd http://www.citadelcomputer.com.au
> 
> -----Original Message-----
> From: Tim Saunders [mailto:Tim.Saunders@xxxxxxxxxxxxxx]
> Sent: Friday, May 23, 2003 12:51 AM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: UnNATing return packets
> 
> 
> When a TCP connection goes through a netfilter firewall and 
> is SNATed and DNATed when do the return packets get unNATed? 
> i.e. a packet comes into the firewall from a client 
> requesting a tcp session, it is SNATed and DNATed and sent to 
> the server, the server sends and ack response, this gets to 
> the firewall. When do the original source and destination 
> addresses (from the session request packet) get put back? Is 
> it before or after routing?
> 
> I am trying to do source routing of return packets based on 
> the address the client originally thought it was targeting. 
> Packets come in destined for 80.5.94.150 and get DNATed to 
> 10.136.1.7 they also get SNATed to 10.136.1.254. I have a 
> rule to route packets from 80.5.94.150 via a different 
> routing table with a default route that goes out of a 
> differen't line to normal but the packets still get routed 
> out of the normal line. It is possible my source routing is 
> at fault. I am using the following commands:
> 
> I have added "15  sr1" to /etc/iproute2/rt_tables.
> 
> # ip rule add from 80.5.94.150 table sr1
> # ip route add default via 80.5.94.129 dev eth3 table sr1
> # ip route flush cache
> 
> One more thing that may be important eth3 has an IP in 
> 80.5.94.128/25 and an IP in 10.234.1.0/24 that goes to a 
> router for the other line.
> 
> Any help greatly appreciated.
> Tim Saunders
> 
> 



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux