kernel 2.6 ipsec and DNAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

we are using iptables and ipsec since several years now (starting with freeswan 1.0) without too much problems. We have now upgraded to the 2.6 kernel (under Fedora 2) and Openswan 2.x.

Our setup works perfectly, with several dozens of tunnels up and running. We have avoided the lake of ipsec0 interface by marking packets (in fact this is great solution that enable us to separate completely the firewall settings from the vpn tunnels).

The problem I am encountering now is that it seems that DNAT is not working when the d-natted session is from a tunneled site. My settup is :


192.168.1.0/24 local intranet
192.168.2.0/24 distant intranet

the ipsec tunnel is setup from distant to local in order to get all the traffic passing into the local firewall (192.168.2.0/24 -> 0.0.0.0/0).

This works perfectly and all the traffic either intranet or internet pass thru the local firewall.

The problem now is that I want now to redirect the web traffic to squid using a classical transparent proxying :

iptables -t nat -A PREROUTING -p tcp --dport 80 -m mark --mark 0x50010000/0xFFFF0000 -j DNAT --to 192.168.1.99:3128

for an unknown reason, this is not working. On the 192.168.1.99 host, I see the connexion arriving but not correctly coming up :

tethereal host 192.168.2.18
0.256680 192.168.2.18 -> 192.168.1.99 TCP 1166 > http [SYN] Seq=0 Ack=0 Win=64512 Len=0 MSS=1260
0.256718 192.168.1.99 -> 192.168.2.18 TCP http > 1166 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
0.442346 192.168.2.18 -> 192.168.1.99 TCP 1024 > http [RST] Seq=0 Ack=0 Win=0 Len=0

the last line RST seams not to be issued by the 192.168.2.18 host, but probably by the firewall/VPN gateway. I have also tried to set /proc/sys/net/ipv4/conf/*/rp_filter to 0, but the problem is the same.

the same setup was correctly working under a kernel 2.4, so I think the problem is about natting the vpn connexion.

Is there any problem like this under the current 2.6.8 kernel ? Do you have any idea to try to bypass the problem ?

-------------------------------------------------------
Alain RICHARD <mailto:alain.richard@xxxxxxxxxxx>
EQUATION SA <http://www.equation.fr/>
Tel : +33 477 79 48 00	 Fax : +33 477 79 48 01
Applications client/serveur, ingénierie réseau et Linux


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux