Re: Packets being reflected back from firewall unintentionally...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello.
Check the full ruleset (iptables-save -c).
If you wont find the issue, use the TRACE target for packets from
internal LAN Asterisk server.
Also, you can ask the help on #netfilter irc-channel at freenode.

2015-04-27 8:03 GMT+03:00 Matthew Smith <gizmosmith@xxxxxxxxx>:
> I have a 192.168.1.14 host behind a linux firewall with ip
> 192.168.1.1.  The interface of the firewall facing the internet is
> "em1" and the private interface is "p1p1"
> I've enabled "masquerading" via SNAT for the whole 192.168.1/24 subnet
> with the following iptables rules:
>
> -t nat -A POSTROUTING -s 192.168.1/24 -o em1 -j SNAT --to (MY_PUBLIC_IP)
> -A FORWARD -i em1 -o p1p1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i p1p1 -o em1 -j ACCEPT
>
> This works fine as all hosts in the 192.168.1/24 subnet can get out to
> the internet just fine.
>
> I opened a port forward up to an asterisk server inside the subnet to
> allow a remote asterisk server to connect to my asterisk server
> inside:
>
> $IPT -t nat -A PREROUTING -i em1 -s (REMOTE_ASTERISK_SERVER_IP) -d
> (MY_PUBLIC_IP) -p udp --dport 4569 -j DNAT --to-destination
> (PRIVATE_INTERNAL_ASTERISK_IP)
> $IPT -A FORWARD -s (REMOTE_ASTERISK_SERVER_IP) -p udp --dport 4569 -j ACCEPT
>
> So, the remote asterisk server can connect in just fine.  Packets
> coming from it to my asterisk server are handled perfectly accoridng
> to tcpdump.  The trouble is my internal asterisk server can't get out
> port 4569.  If it tries to send a packet to REMOTE_ASTERISK_SERVER_IP
> it gets reflected back from interface p1p1 on the firewall.  The
> packet doesn't even make it to em1 of the firewall.
>
> Here's the header of the packet leaving the asterisk server:
> Source: (PRIVATE_INTERNAL_ASTERISK_IP)
> Destination: (REMOTE_ASTERISK_SERVER_IP)
>
> This packet hits p1p1 and is immediately returned back to the internal
> asterisk server with the following header:
> Source:  (MY_PUBLIC_IP)
> Destination:  (PRIVATE_INTERNAL_ASTERISK_IP)
>
> So, both addresses are changed and the packet never gets past the
> firewall.  Any reason why this happens?
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Anton.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux