Re: How to trace IPSec packets?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(Previous message seems to get smudged. This is a resent.)

Hi,

Hope the question isn’t too basic to be asked here.

I have an IPSec tunnel set up between my machine and a server. All
packets originate from my machine go through that tunnel and then get
forwarded by the server. I’m trying to redirect DNS request from my
machine to 8.8.8.8 to a dns forwarder running on the server.

I tried this on the server

iptables -t nat -I PREROUTING -s $IPSEC_VIRTUAL_IP -d 8.8.8.8 -p udp
--dport 53 -j DNAT --to-destination 127.0.0.1

But it didn't work. To make sure it wasn't because I hadn't allowed
martian packets or anything. I tried to trace the decrypted packets.

iptables -t raw -I PREROUTING -s $IPSEC_VIRTUAL_IP -d 8.8.8.8 -p udp
--dport 53 -j TRACE

But after dig @8.8.8.8 google.com on my machine, running grep 'TRACE:'
/var/log/kern.log on the server returned nothing.

According to this picture:
https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg
after decrypting the ipsec packets, netfilter will make the decrypted
packets go through the ip stack again, and the trace target should be
able to catch it.

I wonder if my mental model is incorrect or I missed something?

Regards,
Glen

On Mon, Jan 29, 2018 at 5:10 PM, Glen Huang <heyhgl@xxxxxxxxx> wrote:
> Hi,
>
> Hope the question isn’t too basic to be asked here.
>
> I have an IPSec tunnel set up between my machine and a server. All packets originate from my machine go through that tunnel and then get forwarded by the server. I’m trying to redirect DNS request from my machine to 8.8.8.8 to a dns forwarder running on the server.
>
> I tried this on the server
>
> iptables -t nat -I PREROUTING -s $IPSEC_VIRTUAL_IP -d 8.8.8.8 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1
>
> But it didn't work. To make sure it wasn't because I hadn't allowed martian packets or anything. I tried to trace the decrypted packets.
>
> iptables -t raw -I PREROUTING -s $IPSEC_VIRTUAL_IP -d 8.8.8.8 -p udp --dport 53 -j TRACE
>
> But after dig @8.8.8.8 google.com on my machine, running grep 'TRACE:' /var/log/kern.log on the server returned nothing.
>
> According to this picture: https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg after decrypting the ipsec packets, netfilter will make the decrypted packets go through the ip stack again, and the trace target should be able to catch it.
>
> I wonder if my mental model is incorrect or I missed something?
>
> Regards,
> Glen
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux