Re: NAT translation problem - leakage of packets with original source address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



W dniu 2022-03-10 15:53, Florian Westphal napisał(a):
Marcin Kabiesz <marcin.kabiesz@xxxxxxxxxxxx> wrote:
My question is where do I create a rule for invalid packets? in NAT
POSTROUTING? or MANGLE POSTROUTING or other place leaving the server? I am
waiting for your opinion.

INVALID packets do not traverse NAT table, so NAT POSTROUTING won't
work.

I would suggest mangle postrouting or filter forward, depending on
wheter you want to include locally generated packets or not.

Welcome,
I did as you wrote and even added the option to filter local networks before entering NAT and still get traffic from the network for this machine.

There is a 192.168.10.x / 24 network on this router and I can see its packets as if NAT is running even though it is clearly told to replace the source IP in the header. The POSTROUTING rule for INVALID does not work because nothing gets caught in it.

This router NAT (not BGP - BGP is default Gateway)

Chain POSTROUTING (policy ACCEPT 1170K packets, 1616M bytes)
pkts bytes target prot opt in out source destination 84216 8212K ACCEPT all -- * eth0.2 192.168.10.0/24 0.0.0.0/0 552K 46M ACCEPT all -- * eth0.2 192.168.11.0/24 0.0.0.0/0 0 0 ACCEPT all -- * eth0.2 192.168.12.0/24 0.0.0.0/0 0 0 DROP all -- * eth0.2 192.168.0.0/16 0.0.0.0/0 0 0 DROP tcp -- * eth0.2 0.0.0.0/0 0.0.0.0/0 state INVALID

and

Chain POSTROUTING (policy ACCEPT 30780 packets, 2009K bytes)
pkts bytes target prot opt in out source destination 117K 17M SNAT all -- * eth0.2 192.168.10.0/24 0.0.0.0/0 to:1.2.3.4 558K 77M SNAT all -- * eth0.2 192.168.11.0/24 0.0.0.0/0 to:1.2.3.4 1629 256K SNAT all -- * eth0.2 192.168.12.0/24 0.0.0.0/0 to:1.2.3.4

My Router (BGP router) packet: (I shouldn't have seen it and here I can see ...)

10:09:28.879415 xx:xx:xx:xx:xx:xx > zz:zz:zz:zz:zz:zz, ethertype 802.1Q (0x8100), length 64: vlan 1234, p 0, ethertype IPv4 (0x0800), (tos 0x0, ttl 127, id 20066, offset 0, flags [DF], proto TCP (6), length 40) 192.168.10.206.57808 > 108.177.14.189.443: Flags [R.], cksum 0x3ba1 (correct), seq 2045590905, ack 4040794494, win 0, length 0

Please help / hint.

--
Marcin Kabiesz
Administrator Sieci IT



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux