Grant, I found out what is happening, it is exactly what you've said. The reason this occurs is related to conntrack, the specific route is getting up after the first packet leaves the internal network (via VPN interface, without masquerade), then when the specific route enters, the connection has been established already. Even when the interface changes from TUN0 to PPP0 the connection persists and the packets keep NOT being re-verified. I don't know if it can be considered a Bug, but it seems to me an odd situation as the interface have changed, other networks will be crossed, i think the rules should be re-validated, don't you ? root@fw:/proc/net# grep 172.18.0.13 ip_conntrack udp 17 2809 src=172.18.0.13 dst=200.198.184.204 sport=5060 dport=5060 packets=977 bytes=537937 src=200.198.184.204 dst=172.18.0.13 sport=5060 dport=5060 packets=30 bytes=16384 [ASSURED] mark=0 use=1 Thanks for your help, Em Quarta 01 Outubro 2008, você escreveu: > On 10/01/08 06:34, Marcio Veloso Antunes wrote: > > Can you bring me some light on why packets from 172.18.0.13 are > > crossing ppp0 whithout being masqueraded? > > I can't tell for sure (you did not provide your IP addresses per say) > but it looks like the traffic is from your internal network and headed > for your external ppp0 interface its self. > > Seeing as how you did not actually provide your IPs I'm guessing based > on the fact that you have a route of 200.198.184.204/32 on your ppp0 > interface that said IP is bound to said interface. If this is the case, > it is possible that the traffic is entering the kernel and going up the > network stack directly rather than being forwarded like you would expect. > > I believe this is coming back to the fact that IPs are not bound to an > interface per say, but rather the computer and that in some situations > any interface in the system will take the traffic and pass it up in to > the network with out forwarding it over to the interface that it is > bound to before it takes the traffic and passes it higher in the > networking stack. > > > > Grant. . . . > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Marcio Veloso Antunes Tecnologia IP Ltda +55.21.3005.3004 +55.11.3588.0802 +55.21.8539.2949 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
