Re: Traffic traverses OpenSwan tunnel, return traffic does not

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you for taking the time to reply-- I do appreciate it.  I'm in over my head with regard to some of this…

On Oct 1, 2011, at 1:23 PM, Steven Kath wrote:
> 
> It's hard to be sure if any of the filter rules apply to your IPsec policy without knowing the exact leftsubnet and rightsubnet you're using with OpenSWAN.

Er, sorry about that.  
conn CAGE-HQ
        type=tunnel
        #left side is cage
        left=216.52.2.94
        leftsubnet=192.168.7.0/24
        #right side is hq
        right=24.43.1.162
        rightsubnet=192.168.11.0/24
        keyexchange=ike
        keyingtries=3
        auth=esp
        auto=start
        authby=secret
        esp=3des
        compress=yes
        pfs=yes


>  Besides that, if you're seeing the packets leave for the gateway unencrypted, you're not dropping them, so the output of your filter table probably isn't relevant.   
> 
> Are you doing any source or masquerade NAT?  If so, what does your NAT table look like?  (iptables -vnL -t nat) Better yet, show the output of 'iptables-save' instead which includes all tables. 

It would appear so.

# Generated by iptables-save v1.3.8 on Sat Oct  1 17:30:36 2011
*nat
:PREROUTING ACCEPT [11199794052:6934910892265]
:POSTROUTING ACCEPT [113395083:7916647096]
:OUTPUT ACCEPT [102013:29981510]
-A PREROUTING -d 64.94.106.65 -i eth0 -j DNAT --to-destination 192.168.7.10 
-A PREROUTING -d 64.94.106.69 -i eth0 -p tcp -m multiport --dports 80 -j DNAT --to-destination 192.168.7.10 
-A PREROUTING -d 64.94.106.66 -i eth0 -p tcp -m multiport --dports 8051 -j DNAT --to-destination 192.168.7.42 
-A POSTROUTING -s 192.168.7.42 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.102 
-A POSTROUTING -s 192.168.7.41 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.101 
-A POSTROUTING -s 192.168.7.40 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.100 
-A POSTROUTING -s 192.168.7.39 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.99 
-A POSTROUTING -s 192.168.7.38 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.98 
-A POSTROUTING -s 192.168.7.37 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.97 
-A POSTROUTING -s 192.168.7.35 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.96 
-A POSTROUTING -s 192.168.7.34 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.95 
-A POSTROUTING -s 192.168.7.33 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.94 
-A POSTROUTING -s 192.168.7.32 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.93 
-A POSTROUTING -s 192.168.7.31 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.92 
-A POSTROUTING -s 192.168.7.30 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.91 
-A POSTROUTING -s 192.168.7.35 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.96 
-A POSTROUTING -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.68 
-A POSTROUTING -s 192.168.7.10 -o eth0 -j SNAT --to-source 64.94.106.65 
-A POSTROUTING -o eth0 -j SNAT --to-source 64.94.106.64 
-A POSTROUTING -s 192.168.7.35 -o eth0 -p tcp -m tcp --dport 25 -j SNAT --to-source 64.94.106.96 
COMMIT
# Completed on Sat Oct  1 17:30:36 2011
# Generated by iptables-save v1.3.8 on Sat Oct  1 17:30:36 2011
*filter
:INPUT DROP [1542546:142039707]
:FORWARD DROP [8493370:581284348]
:OUTPUT DROP [938503:45350939]
-A INPUT -s 204.15.23.169 -j ACCEPT 
-A INPUT -s 124.115.0.167 -j ACCEPT 
-A INPUT -s 124.115.0.166 -j ACCEPT 
-A INPUT -s 124.115.0.159 -j ACCEPT 
-A INPUT -s 204.15.23.170 -j ACCEPT 
-A INPUT -s 204.15.23.168 -j ACCEPT 
-A INPUT -s 124.115.4.198 -j ACCEPT 
-A INPUT -s 204.15.23.171 -j ACCEPT 
-A INPUT -s 124.115.0.156 -j ACCEPT 
-A INPUT -s 124.115.4.192 -j ACCEPT 
-A INPUT -s 124.115.0.19 -j ACCEPT 
-A INPUT -s 124.115.0.170 -j ACCEPT 
-A INPUT -s 124.115.0.102 -j ACCEPT 
-A INPUT -s 124.115.0.165 -j ACCEPT 
-A INPUT -s 124.115.0.109 -j ACCEPT 
-A INPUT -s 124.115.0.109 -j DROP 
-A INPUT -s 124.115.0.165 -j DROP 
-A INPUT -s 124.115.0.102 -j DROP 
-A INPUT -s 124.115.0.170 -j DROP 
-A INPUT -s 124.115.0.19 -j DROP 
-A INPUT -s 124.115.4.192 -j DROP 
-A INPUT -s 124.115.0.156 -j DROP 
-A INPUT -s 204.15.23.171 -j DROP 
-A INPUT -s 204.15.23.169 -j DROP 
-A INPUT -s 124.115.0.167 -j DROP 
-A INPUT -s 124.115.0.166 -j DROP 
-A INPUT -s 124.115.0.159 -j DROP 
-A INPUT -s 204.15.23.170 -j DROP 
-A INPUT -s 204.15.23.168 -j DROP 
-A INPUT -s 204.15.23.171 -j DROP 
-A INPUT -s 124.115.4.198 -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 216.52.2.94 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -d 192.168.7.1 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8822 -j ACCEPT 
-A INPUT -s 216.86.2.151 -i eth0 -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -s 67.159.1.30 -i eth0 -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -s 67.159.1.58 -i eth0 -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -s 216.86.1.9 -i eth0 -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -s 24.43.1.162 -i eth0 -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -d 192.168.7.0/255.255.255.0 -i tun0 -j ACCEPT 
-A INPUT -d 192.168.7.1 -j ACCEPT 
-A INPUT -s 192.168.7.10 -i eth1 -p udp -m udp --dport 161 -j ACCEPT 
-A INPUT -d 64.94.1.66 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -d 64.94.1.66 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT 
-A FORWARD -d 10.8.0.0/255.255.255.0 -j ACCEPT 
-A FORWARD -d 192.168.7.0/255.255.255.0 -i tun0 -o ! eth0 -j ACCEPT 
-A FORWARD -d 192.168.8.0/255.255.255.0 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 10.7.0.6 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth1 -o eth0 -p tcp -m multiport --dports 21,25,53,80,123,443,993 -j ACCEPT 
-A FORWARD -i eth1 -o eth0 -p udp -m multiport --dports 53,123 -j ACCEPT 
-A FORWARD -d 192.168.7.10 -i eth0 -o eth1 -p udp -m multiport --dports 53,123 -j ACCEPT 
-A FORWARD -d 192.168.7.10 -i eth0 -o eth1 -p tcp -m multiport --dports 53,123 -j ACCEPT 
-A FORWARD -s 192.168.7.10 -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.7.0/255.255.255.0 -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 192.168.7.10 -i eth0 -o eth1 -p tcp -m multiport --dports 80 -j ACCEPT 
-A FORWARD -s 192.168.7.10 -i eth1 -o eth0 -p tcp -m multiport --dports 80 -j ACCEPT 
-A FORWARD -s 192.168.7.31 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.32 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.33 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.34 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.35 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.37 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.38 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.39 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.40 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.41 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.42 -i eth1 -o eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
-A FORWARD -s 192.168.7.31 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -s 192.168.7.32 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -s 192.168.7.33 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -s 192.168.7.34 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -s 192.168.7.35 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -s 192.168.7.37 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -s 192.168.7.38 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -s 192.168.7.39 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -s 192.168.7.40 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -s 192.168.7.41 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -s 192.168.7.42 -i eth1 -o eth0 -p tcp -m tcp --sport 443 -j ACCEPT 
-A FORWARD -d 192.168.7.42 -i eth0 -o eth1 -p tcp -m multiport --dports 8051 -j ACCEPT 
-A FORWARD -s 192.168.7.42 -i eth1 -o eth0 -p tcp -m multiport --dports 8051 -j ACCEPT 
-A FORWARD -s 192.168.7.42 -i eth1 -o eth0 -p tcp -m tcp --sport 8051 -j ACCEPT 
-A FORWARD -s 192.168.11.0/255.255.255.0 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -s 216.52.2.94 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -s 192.168.7.1 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d 192.168.8.0/255.255.255.0 -o tun0 -j ACCEPT 
-A OUTPUT -d 10.7.0.6 -j ACCEPT 
-A OUTPUT -d 192.168.7.10 -o eth1 -p udp -m udp --sport 161 -j ACCEPT 
-A OUTPUT -d 192.168.7.31 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.33 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.34 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.35 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.37 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.38 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.39 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.40 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.41 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.42 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT 
-A OUTPUT -d 192.168.7.31 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.32 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.33 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.34 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.35 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.37 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.38 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.39 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.40 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.41 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.42 -o eth1 -p tcp -m tcp --dport 443 -j ACCEPT 
-A OUTPUT -d 192.168.7.42 -o eth1 -p tcp -m tcp --dport 8051 -j ACCEPT 
COMMIT


> 
> I frequently see SNAT or MASQ rules applied to traffic which should be encrypted.  Since the nat POSTROUTING chain is traversed before the transform policies are applied, such a rule can change the source address to one that does not match the policy before the encryption decision is made.  

One other thing that may be of relevance is the ifconfig output:

eth0      Link encap:Ethernet  HWaddr 00:30:48:98:9e:52  
          inet addr:216.52.2.94  Bcast:216.52.220.255  Mask:255.255.255.0
          inet6 addr: fe80::230:48ff:fe98:9e52/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44520555649 errors:0 dropped:338469 overruns:0 frame:0
          TX packets:37265236099 errors:207719641 dropped:0 overruns:0 carrier:207719641
          collisions:1467685157 txqueuelen:100 
          RX bytes:37316921295553 (33.9 TB)  TX bytes:22785659249038 (20.7 TB)
          Base address:0x2000 Memory:df220000-df240000 

eth0:0    Link encap:Ethernet  HWaddr 00:30:48:98:9e:52  
          inet addr:64.94.1.66  Bcast:64.255.255.255  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Base address:0x2000 Memory:df220000-df240000 

eth1      Link encap:Ethernet  HWaddr 00:30:48:98:9e:53  
          inet addr:192.168.7.1  Bcast:192.168.7.255  Mask:255.255.255.0
          inet6 addr: fe80::230:48ff:fe98:9e53/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:37286222974 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44474591023 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:22547660351325 (20.5 TB)  TX bytes:37168453098959 (33.8 TB)
          Base address:0x2020 Memory:df260000-df280000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:474 errors:0 dropped:0 overruns:0 frame:0
          TX packets:474 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:154248 (150.6 KB)  TX bytes:154248 (150.6 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.7.0.1  P-t-P:10.7.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2798861 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5155073 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:179376992 (171.0 MB)  TX bytes:7241453908 (6.7 GB)

> 
> You can tell this is happening if you capture the packets going out the interface facing your gateway (eth0) destined for the openswan rightsubnet with a source address which is not in the leftsubnet.  In those cases, you can create a rule to early in the nat POSTROUTING chain to kick packets with a source/dest pair matching your encryption policy out of the chain (target ACCEPT) before they hit the SNAT/MASQ rules. 

Hmm.  My tcpdump / ngrep foo isn't quite up to snuff.  If you have a suggestion as to how to get this info, I would be grateful.

-- Corey / KB1JWQ

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux