SNATing w/o SNAT rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello.

host(10.11.110.67) ->gw (10.11.110.224) -> world(95.26.248.143)


>From host:

$ ping -n world
PING world (95.26.248.143) 56(84) bytes of data.
64 bytes from 95.26.248.143: icmp_req=1 ttl=53 time=64.1 ms
64 bytes from 95.26.248.143: icmp_req=2 ttl=53 time=63.7 ms
64 bytes from 95.26.248.143: icmp_req=3 ttl=53 time=65.2 ms



>From world:

# tcpdump -i ppp0 icmp
16:10:21.285647 IP 1.1.1.7 > 95.26.248.143: ICMP echo request, id 17110,
seq 1, length 64
16:10:21.285730 IP 95.26.248.143 > 1.1.1.7: ICMP echo reply, id 17110,
seq 1, length 64
16:10:22.286347 IP 1.1.1.7 > 95.26.248.143: ICMP echo request, id 17110,
seq 2, length 64
16:10:22.286402 IP 95.26.248.143 > 1.1.1.7: ICMP echo reply, id 17110,
seq 2, length 64
16:10:23.287056 IP 1.1.1.7 > 95.26.248.143: ICMP echo request, id 17110,
seq 3, length 64
16:10:23.287097 IP 95.26.248.143 > 1.1.1.7: ICMP echo reply, id 17110,
seq 3, length 64



But all SNAT gw  rules:

$ iptables -n -L -t nat -v --line-number | grep 1.1.1.7
15       0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
1.1.1.7        tcp dpt:443 /* Port forwarding */ to:10.11.110.27
16       0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
1.1.1.7        tcp dpt:6661 /* Port forwarding */ to:10.11.110.87
17       0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
1.1.1.7        tcp dpt:3390 /* Port forwarding */ to:10.11.119.200
20       0     0 DNAT       tcp  --  *      *       0.0.0.0/0           
1.1.1.7        tcp dpt:3389 /* Port forwarding */ to:10.11.110.248
3      187 11220 SNAT       all  --  *      *       10.11.110.14        
0.0.0.0/0            to:1.1.1.7
4        0     0 SNAT       all  --  *      *       10.11.110.9         
0.0.0.0/0            to:1.1.1.7
5      864 78615 SNAT       all  --  *      *       10.11.110.111       
0.0.0.0/0            to:1.1.1.7
6        1    76 SNAT       all  --  *      *       10.11.110.26        
0.0.0.0/0            to:1.1.1.7
7        0     0 SNAT       all  --  *      *       10.11.110.170       
0.0.0.0/0            to:1.1.1.7
8        0     0 SNAT       all  --  *      *       10.11.110.6         
0.0.0.0/0            to:1.1.1.7
9        0     0 SNAT       all  --  *      *       10.11.110.107       
0.0.0.0/0            to:1.1.1.7
26       0     0 SNAT       all  --  *      *       10.11.110.57        
0.0.0.0/0            to:1.1.1.7
27       0     0 SNAT       all  --  *      *       10.11.110.87        
0.0.0.0/0            to:1.1.1.7
30       0     0 SNAT       all  --  *      *       10.11.110.248       
0.0.0.0/0            to:1.1.1.7
31       0     0 SNAT       all  --  *      *       10.11.119.200       
0.0.0.0/0            to:1.1.1.7
32       0     0 SNAT       all  --  *      *       10.11.110.27        
0.0.0.0/0            to:1.1.1.7
37      75  4940 SNAT       all  --  *      *       10.11.108.251       
0.0.0.0/0            to:1.1.1.7

This is strange, because a rule for host(10.11.110.67) isn't present.

And on gw:

$ iptables-save | grep -i masquerade
$

Why 10.11.110.67 change to 1.1.1.7?





--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux