Re: DNAT hiding routers behind it

Simon Lodal <simonl@xxxxxxxxxx> · Sat, 07 Aug 2004 16:47:48 +0200

simonl@pc $ traceroute -q1 -I 192.168.1.11
traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
 1  10.44.252.1 (10.44.252.1)  4.297 ms
 2  10.44.8.1 (10.44.8.1)  3.892 ms
 3  192.168.44.1 (192.168.44.1)  4.826 ms
 4  192.168.1.11 (192.168.1.11)  5.095 ms

All good. Now for the fun (dnat to another host at similar distance):
root@fw # iptables -t nat -A PREROUTING -i vmnet2 -s 10.44.252.2 -d
192.168.1.11 -j DNAT --to-destination 192.168.2.11

simonl@pc $ traceroute -q1 -I 192.168.1.11
traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 38 byte packets
 1  10.44.252.1 (10.44.252.1)  1.854 ms
 2  192.168.1.11 (192.168.1.11)  9.378 ms
 3  192.168.1.11 (192.168.1.11)  17.237 ms
 4  192.168.1.11 (192.168.1.11)  3.783 ms

See?

Yes.   Strange.   I think I'd like to see the output of "traceroute -q1 -I 
192.168.2.11" (with or without the DNAT rule, shouldn't make any difference).
Note I managed to set up stuff so I do not need the SNAT rule anymore. 
The firewall is a plain forwarding router now, except for the dnat rule.

It is what you would expect (same with and without dnat):
simonl@pc $ traceroute -q1 -I 192.168.2.11
traceroute to 192.168.2.11 (192.168.2.11), 30 hops max, 38 byte packets
 1  10.44.252.1 (10.44.252.1)  1.095 ms
 2  10.44.8.1 (10.44.8.1)  1.936 ms
 3  192.168.44.1 (192.168.44.1)  6.036 ms
 4  192.168.2.11 (192.168.2.11)  3.077 ms

Also, can you put a packet sniffer such as ethereal on the link 10.44.8.10 - 
10.44.8.1 to see what packets are really leaving your firewall to the rest of 
the network?
Sure, this is from the firewall, ethereal sniffing all interfaces with 
filter "ip proto 1", with dnat, doing traceroute -q1 -I 192.168.1.11 
(slightly prettyprinted):

No Source        Destination   Protocol Info
 1 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
 2 10.44.252.1   10.44.252.2   ICMP     Time-to-live exceeded
 3 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
 4 10.44.252.2   192.168.2.11  ICMP     Echo (ping) request
 5 10.44.8.1     10.44.252.2   ICMP     Time-to-live exceeded
 6 192.168.1.11  10.44.252.2   ICMP     Time-to-live exceeded
 7 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
 8 10.44.252.2   192.168.2.11  ICMP     Echo (ping) request
 9 192.168.44.1  10.44.252.2   ICMP     Time-to-live exceeded
10 192.168.1.11  10.44.252.2   ICMP     Time-to-live exceeded
11 10.44.252.2   192.168.1.11  ICMP     Echo (ping) request
12 10.44.252.2   192.168.2.11  ICMP     Echo (ping) request
13 192.168.2.11  10.44.252.2   ICMP     Echo (ping) reply
14 192.168.1.11  10.44.252.2   ICMP     Echo (ping) reply

In my understanding line 5 means 10.44.8.1 sent back a ttl-exceeded as 
it should.

The strange thing is on line 6. The ttl-exceeded packet is sent to the 
pc, but at that point, the source adress has been changed to 192.168.1.11.

The corresponding output from traceroute'ing 192.168.2.11 is:
 5 10.44.8.1     10.44.252.2   ICMP     Time-to-live exceeded
 6 10.44.8.1     10.44.252.2   ICMP     Time-to-live exceeded

The ttl-exceeded packet is just forwarded, as expected.

I have attached libpcap dump files for traceroute'ing both hosts in case 
it contains more relevant info.

I would like to set up a stealth sniffer between firewall and next-hop 
router, but I do not know how, wish I still had a hub.

FYI kernel is 2.4.25.

Simon
Attachment:
traceroute -q1 -I 192.168.1.11.dump

Description: Binary data
Attachment:
traceroute -q1 -I 192.168.2.11.dump

Description: Binary data