W dniu 2022-03-10 15:53, Florian Westphal napisał(a):
Marcin Kabiesz <marcin.kabiesz@xxxxxxxxxxxx> wrote:
My question is where do I create a rule for invalid packets? in NAT
POSTROUTING? or MANGLE POSTROUTING or other place leaving the server?
I am
waiting for your opinion.
INVALID packets do not traverse NAT table, so NAT POSTROUTING won't
work.
I would suggest mangle postrouting or filter forward, depending on
wheter you want to include locally generated packets or not.
Welcome,
I did as you wrote and even added the option to filter local networks
before entering NAT and still get traffic from the network for this
machine.
There is a 192.168.10.x / 24 network on this router and I can see its
packets as if NAT is running even though it is clearly told to replace
the source IP in the header. The POSTROUTING rule for INVALID does not
work because nothing gets caught in it.
This router NAT (not BGP - BGP is default Gateway)
Chain POSTROUTING (policy ACCEPT 1170K packets, 1616M bytes)
pkts bytes target prot opt in out source
destination
84216 8212K ACCEPT all -- * eth0.2 192.168.10.0/24
0.0.0.0/0
552K 46M ACCEPT all -- * eth0.2 192.168.11.0/24
0.0.0.0/0
0 0 ACCEPT all -- * eth0.2 192.168.12.0/24
0.0.0.0/0
0 0 DROP all -- * eth0.2 192.168.0.0/16
0.0.0.0/0
0 0 DROP tcp -- * eth0.2 0.0.0.0/0
0.0.0.0/0 state INVALID
and
Chain POSTROUTING (policy ACCEPT 30780 packets, 2009K bytes)
pkts bytes target prot opt in out source
destination
117K 17M SNAT all -- * eth0.2 192.168.10.0/24
0.0.0.0/0 to:1.2.3.4
558K 77M SNAT all -- * eth0.2 192.168.11.0/24
0.0.0.0/0 to:1.2.3.4
1629 256K SNAT all -- * eth0.2 192.168.12.0/24
0.0.0.0/0 to:1.2.3.4
My Router (BGP router) packet: (I shouldn't have seen it and here I can
see ...)
10:09:28.879415 xx:xx:xx:xx:xx:xx > zz:zz:zz:zz:zz:zz, ethertype 802.1Q
(0x8100), length 64: vlan 1234, p 0, ethertype IPv4 (0x0800), (tos 0x0,
ttl 127, id 20066, offset 0, flags [DF], proto TCP (6), length 40)
192.168.10.206.57808 > 108.177.14.189.443: Flags [R.], cksum 0x3ba1
(correct), seq 2045590905, ack 4040794494, win 0, length 0
Please help / hint.
--
Marcin Kabiesz
Administrator Sieci IT