Re: simple/ubiquitous iptables NAT config no longer works

Pawel Karpowicz <mafeuser@xxxxxxxxx> · Wed, 19 Oct 2011 18:29:23 +0200

Hallo Marek.

> sudo iptables-save
# Generated by iptables-save v1.4.10 on Wed Oct 19 17:38:46 2011
*nat
:PREROUTING ACCEPT [13:2491]
:INPUT ACCEPT [9:1123]
:OUTPUT ACCEPT [165:10279]
:POSTROUTING ACCEPT [12:856]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 19 17:38:46 2011
# Generated by iptables-save v1.4.10 on Wed Oct 19 17:38:46 2011
*filter
:INPUT ACCEPT [6527:2777093]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4648:340419]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
COMMIT
# Completed on Wed Oct 19 17:38:46 2011

> ... and describe your test scenario (interfaces, hosts).

my ubuntu plays role of simple router. It has 2 interfaces
eth0(public), eth1(private):

eth0      Link encap:Ethernet  HWaddr 00:18:8b:04:8a:13
          inet addr:89.73.128.70  Bcast:255.255.255.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:576  Metric:1
          RX packets:8535 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4873 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3044029 (3.0 MB)  TX bytes:448928 (448.9 KB)
          Interrupt:16

eth1      Link encap:Ethernet  HWaddr 00:02:b3:8c:dc:e7
          inet addr:192.168.10.1  Bcast:192.168.10.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

behind the NAT, there is one machine.

My test traffic is following command:
$ wget http://www.bmw.com/index.html
a) issued first from router ubuntu box - works fine.
b) issued from machine behind firewall -
I use wireshark/tcpdump to listen to the traffic on public (eth0) interface.

Problem:
wget from a) works fine
wget from b) does not work - packets starting from server response are
not noticed by tcpdump/wireshark. Looks like wget tries to re-init
retrieval.

prompt# date; tcpdump -n -s 1500 -i eth0 tcp port 80; date

Wed Oct 19 18:17:50 CEST 2011
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
18:17:53.946254 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [S],
seq 2077949812, win 5840, options [mss 1460,sackOK,TS val 101837 ecr
0,nop,wscale 6], length 0
18:17:53.982730 IP 92.122.50.33.80 > 89.73.128.70.51172: Flags [S.],
seq 1195734941, ack 2077949813, win 5792, options [mss 1460,sackOK,TS
val 2525069182 ecr 101837,nop,wscale 5], length 0
18:17:53.982916 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [.],
ack 1, win 92, options [nop,nop,TS val 101847 ecr 2525069182], length
0
18:17:53.983035 IP 89.73.128.70.51172 > 92.122.50.33.80: Flags [P.],
seq 1:120, ack 1, win 92, options [nop,nop,TS val 101847 ecr
2525069182], length 119
18:17:54.018370 IP 92.122.50.33.80 > 89.73.128.70.51172: Flags [.],
ack 120, win 181, options [nop,nop,TS val 2525069217 ecr 101847],
length 0
18:19:35.590503 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [S],
seq 1640370690, win 5360, options [mss 536,sackOK,TS val 639285 ecr
0,nop,wscale 4], length 0
18:19:35.643811 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [S.],
seq 2165280073, ack 1640370691, win 5672, options [mss 1430,sackOK,TS
val 1751780339 ecr 639285,nop,wscale 6], length 0
18:19:35.643879 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 1, win 335, options [nop,nop,TS val 639298 ecr 1751780339], length
0
18:19:35.644320 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [P.],
seq 1:503, ack 1, win 335, options [nop,nop,TS val 639298 ecr
1751780339], length 502
18:19:35.699378 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
ack 503, win 105, options [nop,nop,TS val 1751780395 ecr 639298],
length 0
18:19:35.706906 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
seq 1:525, ack 503, win 105, options [nop,nop,TS val 1751780402 ecr
639298], length 524
18:19:35.706944 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 525, win 401, options [nop,nop,TS val 639314 ecr 1751780402],
length 0
18:19:35.706960 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [P.],
seq 525:587, ack 503, win 105, options [nop,nop,TS val 1751780402 ecr
639298], length 62
18:19:35.706983 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 587, win 401, options [nop,nop,TS val 639314 ecr 1751780402],
length 0
18:19:35.771173 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [S],
seq 287381426, win 5360, options [mss 536,sackOK,TS val 639330 ecr
0,nop,wscale 4], length 0
18:19:35.924358 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [S.],
seq 1848400106, ack 287381427, win 5792, options [mss 1460,sackOK,TS
val 2257618069 ecr 639330,nop,wscale 9], length 0
18:19:35.924434 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
ack 1, win 335, options [nop,nop,TS val 639368 ecr 2257618069], length
0
18:19:35.924761 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [P.],
seq 1:441, ack 1, win 335, options [nop,nop,TS val 639368 ecr
2257618069], length 440
18:19:36.079514 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [.],
ack 441, win 14, options [nop,nop,TS val 2257618108 ecr 639368],
length 0
18:19:36.080648 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [P.],
seq 1:462, ack 441, win 14, options [nop,nop,TS val 2257618108 ecr
639368], length 461
18:19:36.080680 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
ack 462, win 401, options [nop,nop,TS val 639407 ecr 2257618108],
length 0
18:19:36.080708 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [P.],
seq 462:695, ack 441, win 14, options [nop,nop,TS val 2257618108 ecr
639368], length 233
18:19:36.080729 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
ack 695, win 466, options [nop,nop,TS val 639407 ecr 2257618108],
length 0
18:19:50.825213 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [F.],
seq 695, ack 441, win 14, options [nop,nop,TS val 2257621795 ecr
639407], length 0
18:19:50.861633 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [.],
ack 696, win 466, options [nop,nop,TS val 643103 ecr 2257621795],
length 0
18:19:55.536728 IP 89.73.128.70.41428 > 74.208.145.163.80: Flags [F.],
seq 441, ack 696, win 466, options [nop,nop,TS val 644271 ecr
2257621795], length 0
18:19:55.692496 IP 74.208.145.163.80 > 89.73.128.70.41428: Flags [.],
ack 442, win 14, options [nop,nop,TS val 2257623011 ecr 644271],
length 0
18:20:20.705622 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 587, win 401, options [nop,nop,TS val 650564 ecr 1751780402],
length 0
18:20:20.772481 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
ack 503, win 105, options [nop,nop,TS val 1751825467 ecr 639314],
length 0
18:21:05.769622 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 587, win 401, options [nop,nop,TS val 661830 ecr 1751825467],
length 0
18:21:05.818528 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
ack 503, win 105, options [nop,nop,TS val 1751870511 ecr 639314],
length 0
18:21:50.817628 IP 89.73.128.70.41039 > 74.125.79.101.80: Flags [.],
ack 587, win 401, options [nop,nop,TS val 673092 ecr 1751870511],
length 0
18:21:50.871390 IP 74.125.79.101.80 > 89.73.128.70.41039: Flags [.],
ack 503, win 105, options [nop,nop,TS val 1751915564 ecr 639314],
length 0
^C
33 packets captured
33 packets received by filter
0 packets dropped by kernel
Wed Oct 19 18:21:56 CEST 2011

best regards,
Pawel
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html