Re: NAT translation problem - leakage of packets with original source address

[Marcin Kabiesz <marcin.kabiesz@xxxxxxxxxxxx>]

W dniu 2022-03-10 15:53, Florian Westphal napisał(a):
> Marcin Kabiesz <marcin.kabiesz@xxxxxxxxxxxx> wrote:
> > My question is where do I create a rule for invalid packets? in NAT
> > POSTROUTING? or MANGLE POSTROUTING or other place leaving the server? 
> > I am
> > waiting for your opinion.
>
> INVALID packets do not traverse NAT table, so NAT POSTROUTING won't
> work.
>
> I would suggest mangle postrouting or filter forward, depending on
> wheter you want to include locally generated packets or not.

Welcome,
I did as you wrote and even added the option to filter local networks 
before entering NAT and still get traffic from the network for this 
machine.

There is a 192.168.10.x / 24 network on this router and I can see its 
packets as if NAT is running even though it is clearly told to replace 
the source IP in the header. The POSTROUTING rule for INVALID does not 
work because nothing gets caught in it.

This router NAT (not BGP - BGP is default Gateway)

Chain POSTROUTING (policy ACCEPT 1170K packets, 1616M bytes)
 pkts bytes target     prot opt in     out     source               
destination
84216 8212K ACCEPT     all  --  *      eth0.2  192.168.10.0/24      
0.0.0.0/0
 552K   46M ACCEPT     all  --  *      eth0.2  192.168.11.0/24      
0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth0.2  192.168.12.0/24      
0.0.0.0/0
    0     0 DROP       all  --  *      eth0.2  192.168.0.0/16       
0.0.0.0/0
    0     0 DROP       tcp  --  *      eth0.2  0.0.0.0/0            
0.0.0.0/0            state INVALID

and

Chain POSTROUTING (policy ACCEPT 30780 packets, 2009K bytes)
 pkts bytes target     prot opt in     out     source               
destination
 117K   17M SNAT       all  --  *      eth0.2  192.168.10.0/24      
0.0.0.0/0            to:1.2.3.4
 558K   77M SNAT       all  --  *      eth0.2  192.168.11.0/24      
0.0.0.0/0            to:1.2.3.4
 1629  256K SNAT       all  --  *      eth0.2  192.168.12.0/24      
0.0.0.0/0            to:1.2.3.4

My Router (BGP router) packet: (I shouldn't have seen it and here I can 
see ...)

10:09:28.879415 xx:xx:xx:xx:xx:xx > zz:zz:zz:zz:zz:zz, ethertype 802.1Q 
(0x8100), length 64: vlan 1234, p 0, ethertype IPv4 (0x0800), (tos 0x0, 
ttl 127, id 20066, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.10.206.57808 > 108.177.14.189.443: Flags [R.], cksum 0x3ba1 
(correct), seq 2045590905, ack 4040794494, win 0, length 0

Please help / hint.

--
Marcin Kabiesz
Administrator Sieci IT