RE: NAT table seems to be skipped for TCP traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Some details on the setup are missing.
Output of:
ip a
iptables-save
uname -a
cat /etc/*release

should make some sense.

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@xxxxxxxxx

-----Original Message-----
From: Nicholas Amon <nicholasamon@xxxxxxxxx> 
Sent: Wednesday, December 2, 2020 5:45 PM
To: netfilter@xxxxxxxxxxxxxxx
Subject: NAT table seems to be skipped for TCP traffic 

Hi,

I have a strange problem I’ve been troubleshooting for days to no avail.  I have traffic from a host (192.168.2.2) that appears to skip the NAT table altogether for TCP traffic but not for ICMP traffic.  
My goal is to SNAT all traffic from the host but the  SNAT occurs for ICMP traffic but not for TCP traffic?!

I have a Linux host that has KVM VMs. I've configured the host as a router doing SNAT (well actually masquerading in this example, but I tried SNAT earlier):

iptables SNAT rule:

Chain PREROUTING (policy ACCEPT 59 packets, 4855 bytes)
 pkts bytes target     prot opt in     out     source               destination
   69  6603 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 7 prefix "PRE-RTG-nat:"

Chain INPUT (policy ACCEPT 43 packets, 2697 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 88 packets, 5292 bytes)
 pkts bytes target     prot opt in     out     source               destination
   88  5292 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 7 prefix "OUT-nat:"

Chain POSTROUTING (policy ACCEPT 61 packets, 3686 bytes)
 pkts bytes target     prot opt in     out     source               destination
  120  6965 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 7 prefix "POST-RTG-nat:"
  431 21166 MASQUERADE  all  --  *      ens160  0.0.0.0/0            0.0.0.0/0

The IP address of the ens160 interface is 10.8.131.129.

Example tcpdump output captured on the KVM host when pinging a random host 5.5.5.5 from VM 192.168.2.2

tcpdump -ni ens160  port 80 or icmp

20:09:43.547144 IP 10.8.131.129 > 5.5.5.5: ICMP echo request, id 52336, seq 1, length 64
20:09:44.550362 IP 10.8.131.129 > 5.5.5.5: ICMP echo request, id 52336, seq 2, length 64
20:09:45.574299 IP 10.8.131.129 > 5.5.5.5: ICMP echo request, id 52336, seq 3, length 64
20:09:46.597927 IP 10.8.131.129 > 5.5.5.5: ICMP echo request, id 52336, seq 4, length 64

Example tcpdump output from the KVM host when curl 5.5.5.5 from VM 192.168.2.2:

tcpdump -ni ens160  port 80 or icmp

listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
20:11:48.421960 IP 192.168.2.2.25867 > 5.5.5.5.80: Flags [S], seq 2120886070, win 64240, options [mss 1460,sackOK,TS val 2611268392 ecr 0,nop,wscale 7], length 0
20:11:49.446042 IP 192.168.2.2.25867 > 5.5.5.5.80: Flags [S], seq 2120886070, win 64240, options [mss 1460,sackOK,TS val 2611269421 ecr 0,nop,wscale 7], length 0
20:11:51.461925 IP 192.168.2.2.25867 > 5.5.5.5.80: Flags [S], seq 2120886070, win 64240, options [mss 1460,sackOK,TS val 2611271437 ecr 0,nop,wscale 7], length 0

Notice how for the TCP traffic the source address is not NATed, 192.168.2.2, but for ICMP it NATs the traffic with the source reported as 10.8.131.129. It seems the SNAT rule is not applying!
I though next to add the LOG statements, as shown earlier in the iptables rules above (there is a similar LOG rule in the FORWARD chain of the filter table that outputs FWD-filter log statements not shown in the rules above), here is the output in the kernel logs when pinging:

Dec  1 20:14:18 XXXXX kernel: [16654.813561] PRE-RTG-nat:IN=veth1 OUT= MAC=4a:69:c2:22:60:28:b6:15:50:68:fc:76:08:00 SRC=192.168.2.2 DST=5.5.5.5 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=29316 DF PROTO=ICMP TYPE=8 CODE=0 ID=29910 SEQ=1
Dec  1 20:14:18 XXXXX kernel: [16654.813582] FWD-filter:IN=veth1 OUT=ens160 MAC=4a:69:c2:22:60:28:b6:15:50:68:fc:76:08:00 SRC=192.168.2.2 DST=5.5.5.5 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=29316 DF PROTO=ICMP TYPE=8 CODE=0 ID=29910 SEQ=1
Dec  1 20:14:18 XXXXX kernel: [16654.813588] POST-RTG-nat:IN= OUT=ens160 SRC=192.168.2.2 DST=5.5.5.5 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=29316 DF PROTO=ICMP TYPE=8 CODE=0 ID=29910 SEQ=1
Dec  1 20:14:18 XXXXX kernel: [16654.813561] PRE-RTG-nat:IN=veth1 OUT= MAC=4a:69:c2:22:60:28:b6:15:50:68:fc:76:08:00 SRC=192.168.2.2 DST=5.5.5.5 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=29316 DF PROTO=ICMP TYPE=8 CODE=0 ID=29910 SEQ=1
Dec  1 20:14:18 XXXXX kernel: [16654.813582] FWD-filter:IN=veth1 OUT=ens160 MAC=4a:69:c2:22:60:28:b6:15:50:68:fc:76:08:00 SRC=192.168.2.2 DST=5.5.5.5 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=29316 DF PROTO=ICMP TYPE=8 CODE=0 ID=29910 SEQ=1
Dec  1 20:14:18 XXXXX kernel: [16654.813588] POST-RTG-nat:IN= OUT=ens160 SRC=192.168.2.2 DST=5.5.5.5 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=29316 DF PROTO=ICMP TYPE=8 CODE=0 ID=29910 SEQ=1

Here are the kernel logs when curl/TCP:

ec  1 20:18:33 XXXXXX kernel: [16910.155962] FWD-filter:IN=veth1 OUT=ens160 MAC=4a:69:c2:22:60:28:b6:15:50:68:fc:76:08:00 SRC=192.168.2.2 DST=5.5.5.5 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=8112 DF PROTO=TCP SPT=33380 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Dec  1 20:18:33 XXXXXX kernel: [16910.155962] FWD-filter:IN=veth1 OUT=ens160 MAC=4a:69:c2:22:60:28:b6:15:50:68:fc:76:08:00 SRC=192.168.2.2 DST=5.5.5.5 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=8112 DF PROTO=TCP SPT=33380 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Dec  1 20:18:34 XXXXXX kernel: [16911.169639] FWD-filter:IN=veth1 OUT=ens160 MAC=4a:69:c2:22:60:28:b6:15:50:68:fc:76:08:00 SRC=192.168.2.2 DST=5.5.5.5 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=8113 DF PROTO=TCP SPT=33380 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Dec  1 20:18:34 XXXXXX kernel: [16911.169639] FWD-filter:IN=veth1 OUT=ens160 MAC=4a:69:c2:22:60:28:b6:15:50:68:fc:76:08:00 SRC=192.168.2.2 DST=5.5.5.5 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=8113 DF PROTO=TCP SPT=33380 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

I ran a follow-up test to determine if the traffic is in the POSTROUTING mangle table and it is there for both the ICMP and TCP traffic:

ICMP
Dec  1 20:31:29 XXXXXX kernel: [17685.625732] FWD-filter:IN=veth1 OUT=ens160 MAC=4a:69:c2:22:60:28:b6:15:50:68:fc:76:08:00 SRC=192.168.2.2 DST=5.5.5.5 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=4680 DF PROTO=ICMP TYPE=8 CODE=0 ID=25900 SEQ=1
Dec  1 20:31:29 XXXXXX kernel: [17685.625738] RULE-PSTRTG-mangle:IN= OUT=ens160 SRC=192.168.2.2 DST=5.5.5.5 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=4680 DF PROTO=ICMP TYPE=8 CODE=0 ID=25900 SEQ=1
Dec  1 20:31:29 XXXXXX kernel: [17685.625743] POST-RTG-nat:IN= OUT=ens160 SRC=192.168.2.2 DST=5.5.5.5 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=4680 DF PROTO=ICMP TYPE=8 CODE=0 ID=25900 SEQ=1

TCP
Dec  1 20:31:37 XXXXXX kernel: [17694.202915] FWD-filter:IN=veth1 OUT=ens160 MAC=4a:69:c2:22:60:28:b6:15:50:68:fc:76:08:00 SRC=192.168.2.2 DST=5.5.5.5 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=8604 DF PROTO=TCP SPT=62653 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Dec  1 20:31:37 XXXXXX kernel: [17694.202926] RULE-PSTRTG-mangle:IN= OUT=ens160 SRC=192.168.2.2 DST=5.5.5.5 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=8604 DF PROTO=TCP SPT=62653 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

The traffic seems to skip the NAT table altogether when it's TCP traffic.   Any idea what I'm doing wrong?

Thanks,

Nick





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux