>----- Mensaje original ----- >De: "Andrew Beverley" <andy@xxxxxxxxxxx> >Para: ehuerta@xxxxxxx >CC: netfilter@xxxxxxxxxxxxxxx >Enviados: Sábado, 4 de Febrero 2012 13:58:32 >Asunto: Re: iptables udp 1195 MASQUERADE > >On Tue, 2012-01-24 at 17:34 -0600, Enrique Huerta de la Fuente wrote: >> Hello >> >> I have OpenVPN (lan to lan) >> >> On site 1 (4 links) >> - eth0 (LAN) >> - eth1 (internet link) >> - eth3 (enalce internet) >> - ppp0 (internet link) >> - Deafult gateway eth1 >> >> On site 2 (3 links) >> - eth0 (LAN) >> - eth1 (internet link) >> - ppp0 (internet link) >> - Deafult gateway ppp0 >> >> The eth3 interface (site 1) and the eth1 interface (site 2) are the >> same supplier, the same mask. >> >> The VPN works with eth3 (site 1) <---> eth1 (site 2) and it works >> great. We must not over because they are the same provider and does >> not require the gateway. >> >> But if it fails any of the VPN link (eth3 o eth1), we need to change >> links of VPN to ppp0 (site 1) <-----> ppp0 (site 2). >> >> Here's the problem! >> >> At site 1, the UPD packets should go out by ppp0 (the default gateway >> is eth1). To do this: >> >> # Iptables-t nat-I POSTROUTING-p udp-m udp - dport 1195-o ppp0-j >> MASQUERADE # Iptables-t mangle-I OUTPUT-p udp-m udp - dport 1195-j >> MARK - set-mark 1 > >Are you sure you've got this rule correct? Have you tried doing a LOG >target to check that it is matching the packets that you would expect? > >> >> So are the paths: >> >> # Ip rule ls >> 0: from all lookup 255 >> 32757: from all fwmark 0x1 lookup infinitum >> 32758: from 189.143.36.36 lookup infinitum >> 32759: from 38.124.170.15 lookup bbs >> 32766: from all lookup main >> >> # Ip route ls table infinitum >> default via 189.143.36.36 dev ppp0 >> >> >> The problem is that no packets arrive from site 1 to the site 2. The >> UDP packets arrive to site 1 from site 2 >> >> I tested with port 22 (ssh) and it works. >> >> # Iptables-t nat-I POSTROUTING-m tcp-p tcp - dport 22-o ppp0-j >> MASQUERADE # Iptables-t mangle-I OUTPUT-m tcp-p tcp - dport 22-j MARK >> - set-mark 1 >> >> >> Any idea why that no UDP packets arrive to site 2? >> >> regards >> >> E.Huerta >> -- To unsubscribe from this list: send the line "unsubscribe >> netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html Hello Andrew, thank you for the attention. I doing a log target to check the rule in each of the OUTPUT hooks (raw, mangle, nat and filter) and POSTROUTING hooks (mangle and nat). kernel: OUTPUT-22-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=17619 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 kernel: OUTPUT-1195-RAW: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=304 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=284 kernel: OUTPUT-22-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=18917 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 kernel: OUTPUT-1195-MANGLE: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=416 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=396 kernel: OUTPUT-22-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19177 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 kernel: OUTPUT-1195-FILTER: IN= OUT=eth1 SRC=201.15.40.9 DST=189.189.5.2 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=108 kernel: POSTROUTING-22-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=19543 DF PROTO=TCP SPT=47664 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0 kernel: POSTROUTING-1195-MANGLE: IN= OUT=ppp0 SRC=201.15.40.9 DST=189.189.5.2 LEN=160 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1195 DPT=1195 LEN=140 In the out and POSTROUTING hooks in the NAT table, i can not do log. In the last log, the output interface is already changing, but did not change the source address. Apply the rule: "iptables -t nat -I POSTROUTING -o ppp0 -j MASQUERADE", this masks the port 22 (tcp) but not the 1195 (udp), because I can connect via ssh. It seems the problem is that does not mask the port 1195 (udp). Any idea? regards E.Huerta -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
