POSTROUTING doesn't apply on all outgoing packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

  -----        -----
-| rt2 | --- | rt1 |- 
  -----        -----

Two routers with iptables. Packets comes to rt1 from (right) network 172.21.16.0/20, to 10.232.0.0/13 which is accessible though rt2.
rt1:
:
iptables -t nat -A POSTROUTING -s  172.21.16.0/20 -d 10.232.0.0/13 -j SNAT --to 172.21.112.1
:

All works fine with good performance, but I cannot explain the existence of some few packets on rt2, related to source address 172.21.25.23. This address should be SNAT to 172.21.112.1 - in most packets it is, but not in all !!!
Log from rt2, all packets come originally from 172.21.25.23:
:
2020-05-12T21:13:20.202352+02:00 v1115 kernel: [8213054.473363] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2815 DF PROTO=TCP SPT=54982 DPT=80 WINDOW=1025 RES=0x00 ACK URGP=0
2020-05-12T21:14:00.082258+02:00 v1115 kernel: [8213094.351265] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=52 TOS=0x02 PREC=0x00 TTL=126 ID=2816 DF PROTO=TCP SPT=55121 DPT=80 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
2020-05-12T21:14:00.102522+02:00 v1115 kernel: [8213094.371619] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2817 DF PROTO=TCP SPT=55121 DPT=80 WINDOW=1026 RES=0x00 ACK URGP=0
2020-05-12T21:14:00.104962+02:00 v1115 kernel: [8213094.371706] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=364 TOS=0x00 PREC=0x00 TTL=126 ID=2818 DF PROTO=TCP SPT=55121 DPT=80 WINDOW=1026 RES=0x00 ACK PSH URGP=0
2020-05-12T21:14:00.188715+02:00 v1115 kernel: [8213094.457782] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2819 DF PROTO=TCP SPT=55121 DPT=80 WINDOW=1025 RES=0x00 ACK URGP=0
2020-05-12T21:14:20.125341+02:00 v1115 kernel: [8213114.393465] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2820 DF PROTO=TCP SPT=55121 DPT=80 WINDOW=1025 RES=0x00 ACK URGP=0
2020-05-12T21:14:22.894501+02:00 v1115 kernel: [8213117.162475] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.25.23 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2821 DF PROTO=TCP SPT=54982 DPT=80 WINDOW=1025 RES=0x00 ACK FIN URGP=0
2020-05-12T21:14:22.900959+02:00 v1115 kernel: [8213117.167461] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2822 DF PROTO=TCP SPT=55121 DPT=80 WINDOW=1025 RES=0x00 ACK FIN URGP=0
2020-05-12T21:14:23.191443+02:00 v1115 kernel: [8213117.459406] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.25.23 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2823 DF PROTO=TCP SPT=54982 DPT=80 WINDOW=1025 RES=0x00 ACK FIN URGP=0
2020-05-12T21:14:23.800889+02:00 v1115 kernel: [8213118.068807] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.25.23 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2824 DF PROTO=TCP SPT=54982 DPT=80 WINDOW=1025 RES=0x00 ACK FIN URGP=0
2020-05-12T21:14:25.004095+02:00 v1115 kernel: [8213119.271983] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.25.23 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2825 DF PROTO=TCP SPT=54982 DPT=80 WINDOW=1025 RES=0x00 ACK FIN URGP=0
2020-05-12T21:14:27.410380+02:00 v1115 kernel: [8213121.678145] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.25.23 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2826 DF PROTO=TCP SPT=54982 DPT=80 WINDOW=1025 RES=0x00 ACK FIN URGP=0
2020-05-12T21:14:32.223134+02:00 v1115 kernel: [8213126.490674] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.25.23 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2827 DF PROTO=TCP SPT=54982 DPT=80 WINDOW=1025 RES=0x00 ACK FIN URGP=0
2020-05-12T21:14:41.833023+02:00 v1115 kernel: [8213136.100091] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.25.23 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2828 DF PROTO=TCP SPT=54982 DPT=80 WINDOW=0 RES=0x00 ACK RST URGP=0
2020-05-12T21:15:00.097772+02:00 v1115 kernel: [8213154.363942] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=52 TOS=0x02 PREC=0x00 TTL=126 ID=2829 DF PROTO=TCP SPT=55325 DPT=80 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
2020-05-12T21:15:00.117084+02:00 v1115 kernel: [8213154.383275] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2830 DF PROTO=TCP SPT=55325 DPT=80 WINDOW=1026 RES=0x00 ACK URGP=0
2020-05-12T21:15:00.117102+02:00 v1115 kernel: [8213154.383309] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=364 TOS=0x00 PREC=0x00 TTL=126 ID=2831 DF PROTO=TCP SPT=55325 DPT=80 WINDOW=1026 RES=0x00 ACK PSH URGP=0
2020-05-12T21:15:00.193290+02:00 v1115 kernel: [8213154.459464] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=2832 DF PROTO=TCP SPT=55325 DPT=80 WINDOW=1025 RES=0x00 ACK URGP=0
2020-05-12T21:15:00.234317+02:00 v1115 kernel: [8213154.500501] iptables.FORWARD(TEST): IN=eth0 OUT=tun0 MAC=00:50:56:18:33:41:00:50:56:18:33:34:08:00 SRC=172.21.112.1 DST=10.232.12.34 LEN=52 TOS=0x02 PREC=0x00 TTL=126 ID=2833 DF PROTO=TCP SPT=55326 DPT=80 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0

Thanks,
Walter
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux