lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sun, 11 Jul 2010 18:08:52 +0100
From:	Alexander Clouter <alex@...riz.org.uk>
To:	linux-kernel@...r.kernel.org
Subject: Re: SNATed connections show as original ip in /proc/net/tcp

Noah McNallie <n0ah@...h.org> wrote:
>
>> Look into using 'ip rule' and a second routing table.
>>
>> http://lartc.org/howto/lartc.rpdb.html
>>
>> You will still need use iptables/MARK to do L4 (tcp/udp/etc) policy
>> routing though, however now you can dump the ugly SNATing.
>
> ok i'll stick it there i must have missed that browsing mailing lists last  
> night... uhh as far as ip rule i am using that, that's how i match the  
> packets with the firewall mark that need to go out a specific interface  
> and to a specific route... i don't believe ip rule has any option to match  
> packets based on destination port and change their source address and  
> route them out any specific interface, or i'd be doing that all along as  
> that would be much better.
> 
I read your original post as saying were using iptables and the SNAT 
action, I am suggesting you use 'ip rule' to say "if x/tcp or y/udp 
using routing table 'alternative'".  Might be easier if you actually put 
here the ip/iptables rules you are actually using?

In the alternative routing table you can say to use a different source 
IP and/or alternative default gateway address (using something like 'ip 
route ... src ... via ... dev').  As I mentioned before, as 'ip rule' 
only knows about IP addresses (and not tcp/udp/etc port numbers and what 
not) you will need to use iptables MARK action and the fwmark in 'ip 
rule' to get the L4 policy based routing you want.

By using a second routing table (as described in the LARTC link), you 
can stop using the 'iptables -j SNAT' I think you are using.  Then, 
hopefully all your netstat output for locally sourced traffic will be 
correct.

Cheers

-- 
Alexander Clouter
.sigmonster says: You will be married within a year, and divorced within two.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ