Packet dropped without reason

"Steffen Heil (Mailinglisten)" <lists@xxxxxxxxxxxxxxx> · Sat, 19 May 2012 19:12:22 +0000

Hi

I follow a ping through my gateway with log-commands at the end of each
chain:

Receiving a echo request on eth1 and forwarding it encrypted to a gateway on
eth0 works as expected:
(Although nat_OUTPUT is missing between step 9 and 10 and nat_POSTROUTING is
missing after step 11 compared to http://inai.de/images/nf-packet-flow.png,
but I expect this to be correct, as I do not use nat.)

1. May 19 18:58:11 vpn-a kernel: [ 4396.217687] raw_PREROUTING: IN=eth1 OUT=
MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2 DST=10.2.1.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=41230
SEQ=1

2. May 19 18:58:11 vpn-a kernel: [ 4396.217702] mangle_PREROUTING: IN=eth1
OUT= MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2 DST=10.2.1.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=41230
SEQ=1 MARK=0x1

3. May 19 18:58:11 vpn-a kernel: [ 4396.217710] nat_PREROUTING: IN=eth1 OUT=
MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2 DST=10.2.1.2
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=41230
SEQ=1 MARK=0x1

4. May 19 18:58:11 vpn-a kernel: [ 4396.217725] mangle_FORWARD: IN=eth1
OUT=eth0 MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2
DST=10.2.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=41230 SEQ=1 MARK=0x1

5. May 19 18:58:11 vpn-a kernel: [ 4396.217732] filter_FORWARD: IN=eth1
OUT=eth0 MAC=00:16:3e:0f:01:01:00:16:3e:0f:03:00:08:00 SRC=10.1.1.2
DST=10.2.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=41230 SEQ=1 MARK=0x1

6. May 19 18:58:11 vpn-a kernel: [ 4396.217739] mangle_POSTROUTING: IN=
OUT=eth0 SRC=10.1.1.2 DST=10.2.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF
PROTO=ICMP TYPE=8 CODE=0 ID=41230 SEQ=1 MARK=0x1

7. May 19 18:58:11 vpn-a kernel: [ 4396.217744] nat_POSTROUTING: IN=
OUT=eth0 SRC=10.1.1.2 DST=10.2.1.2 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF
PROTO=ICMP TYPE=8 CODE=0 ID=41230 SEQ=1 MARK=0x1

8. May 19 18:58:11 vpn-a kernel: [ 4396.217769] raw_OUTPUT: IN= OUT=eth0
SRC=10.5.0.1 DST=10.5.0.2 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=ESP SPI=0xc509ff52 MARK=0x1

9. May 19 18:58:11 vpn-a kernel: [ 4396.217776] mangle_OUTPUT: IN= OUT=eth0
SRC=10.5.0.1 DST=10.5.0.2 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=ESP SPI=0xc509ff52 MARK=0x1

10. May 19 18:58:11 vpn-a kernel: [ 4396.217781] filter_OUTPUT: IN= OUT=eth0
SRC=10.5.0.1 DST=10.5.0.2 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=ESP SPI=0xc509ff52 MARK=0x1

11. May 19 18:58:11 vpn-a kernel: [ 4396.217786] mangle_POSTROUTING: IN=
OUT=eth0 SRC=10.5.0.1 DST=10.5.0.2 LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF
PROTO=ESP SPI=0xc509ff52 MARK=0x1

Receiving the encrypted echo reply on eth0 and decrypting it works as well,
but it does not get forwarded as expected:
(nat_PREROUTING is missing between steps 2 and 3 compared to
http://inai.de/images/nf-packet-flow.png, but again, I don't use nat so I
think this is correct.)

1. May 19 18:58:11 vpn-a kernel: [ 4396.218074] raw_PREROUTING: IN=eth0 OUT=
MAC=00:16:3e:0f:01:00:00:16:3e:0f:02:00:08:00 SRC=10.5.0.2 DST=10.5.0.1
LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=5897 PROTO=ESP SPI=0xc0321da6

2. May 19 18:58:11 vpn-a kernel: [ 4396.218082] mangle_PREROUTING: IN=eth0
OUT= MAC=00:16:3e:0f:01:00:00:16:3e:0f:02:00:08:00 SRC=10.5.0.2 DST=10.5.0.1
LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=5897 PROTO=ESP SPI=0xc0321da6 MARK=0x1

3. May 19 18:58:11 vpn-a kernel: [ 4396.218090] mangle_INPUT: IN=eth0 OUT=
MAC=00:16:3e:0f:01:00:00:16:3e:0f:02:00:08:00 SRC=10.5.0.2 DST=10.5.0.1
LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=5897 PROTO=ESP SPI=0xc0321da6 MARK=0x1

4. May 19 18:58:11 vpn-a kernel: [ 4396.218097] filter_INPUT: IN=eth0 OUT=
MAC=00:16:3e:0f:01:00:00:16:3e:0f:02:00:08:00 SRC=10.5.0.2 DST=10.5.0.1
LEN=152 TOS=0x00 PREC=0x00 TTL=64 ID=5897 PROTO=ESP SPI=0xc0321da6 MARK=0x1

5. May 19 18:58:11 vpn-a kernel: [ 4396.218120] raw_PREROUTING: IN=eth0 OUT=
MAC=00:16:3e:0f:01:00:00:16:3e:0f:02:00:08:00 SRC=10.2.1.2 DST=10.1.1.2
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=60912 PROTO=ICMP TYPE=0 CODE=0 ID=41230
SEQ=1

6. May 19 18:58:11 vpn-a kernel: [ 4396.218129] mangle_PREROUTING: IN=eth0
OUT= MAC=00:16:3e:0f:01:00:00:16:3e:0f:02:00:08:00 SRC=10.2.1.2 DST=10.1.1.2
LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=60912 PROTO=ICMP TYPE=0 CODE=0 ID=41230
SEQ=1

But that's all. It never reaches mangle_FORWARD as expected.

My setup is below.
I don't understand why that packet does not get routed...
Can someone here tell me why?

Best regards,
  Steffen

# ip rule list
0:      from all lookup local
1:      from all fwmark 0x1 lookup 100
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default

# ip route list table 100
default via 10.5.0.2 dev eth0  proto static  src 10.1.1.1

# ip route list table 220
(empty)
4
# ip route list
default via 192.168.178.100 dev eth3
10.1.1.0/24 dev eth1  proto kernel  scope link  src 10.1.1.1
10.1.2.0/24 dev eth2  proto kernel  scope link  src 10.1.2.1
10.5.0.0/24 dev eth0  proto kernel  scope link  src 10.5.0.1
192.168.178.0/24 dev eth3  proto kernel  scope link  src 192.168.178.1

iptables (all chains ACCEPT) has only these rules (except for logging at the
end):
-t raw -A PREROUTING -j MARK --set-xmark 0x0/0xffffffff
-t mangle -A PREROUTING -s 10.1.1.0/24 -d 10.2.1.0/24 -j MARK --set-xmark
0x1/0xffffffff
-t mangle -A PREROUTING -p esp -j MARK --set-xmark 0x1/0xffffffff

# ip x s
src 10.5.0.1 dst 10.5.0.2
        proto esp spi 0xc509ff52 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        mark 1/0xffffffff
        auth-trunc hmac(sha1) 0xfb8cd76020e5bd6e78134961052af497cfbe819e 96
        enc cbc(aes) 0xbd46ce27cadc3f34930c39bd9abd5eb1
src 10.5.0.2 dst 10.5.0.1
        proto esp spi 0xc0321da6 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        mark 1/0xffffffff
        auth-trunc hmac(sha1) 0xebda4251938915491005779d63e31f4d0a42c34a 96
        enc cbc(aes) 0x48611761f98b6f260ce6db52923bd183

# ip x p
src 10.2.1.0/24 dst 10.1.1.0/24
        dir fwd priority 1859
        mark 1/0xffffffff
        tmpl src 10.5.0.2 dst 10.5.0.1
                proto esp reqid 1 mode tunnel
src 10.2.1.0/24 dst 10.1.1.0/24
        dir in priority 1859
        mark 1/0xffffffff
        tmpl src 10.5.0.2 dst 10.5.0.1
                proto esp reqid 1 mode tunnel
src 10.1.1.0/24 dst 10.2.1.0/24
        dir out priority 1859
        mark 1/0xffffffff
        tmpl src 10.5.0.1 dst 10.5.0.2
                proto esp reqid 1 mode tunnel
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0

Attachment:
smime.p7s

Description: S/MIME cryptographic signature