[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20210901204204.GB3350910@belle.intranet.vanheusden.com>
Date: Wed, 1 Sep 2021 22:42:04 +0200
From: folkert <folkert@...heusden.com>
To: netdev@...r.kernel.org
Subject: masquerading AFTER first packet
Hi,
I'm seeing something strange. I'm doing an snmpwalk on an snmp server of
mine (behing DNAT) , and after the first response it goes into a timeout.
I did a tcpdump and saw this:
1630528031.843264 IP 185.243.112.54.38377 > 37.34.63.177.161: GetNextRequest(23) .1.3.6.1
1630528031.843924 IP 37.34.63.177.161 > 185.243.112.54.38377: GetResponse(34) .1.3.6.1.2=0 <-- ok
1630528031.846950 IP 185.243.112.54.38377 > 37.34.63.177.161: GetNextRequest(24) .1.3.6.1.2
1630528031.847415 IP 192.168.4.2.161 > 185.243.112.54.38377: GetResponse(35) .1.3.6.1.2.1=0 <-- fail
1630528032.847649 IP 185.243.112.54.38377 > 37.34.63.177.161: GetNextRequest(24) .1.3.6.1.2
1630528032.848081 IP 192.168.4.2.161 > 185.243.112.54.38377: GetResponse(35) .1.3.6.1.2.1=0 <-- fail
...
What happens here: 192.168.4.2.161 is the snmp-server. It is
portforwarded by 37.34.63.177 and also masqueraded. All is fine for the
first request/response, after that as you see the internal ip address
is outputted (which is incorrect of course).
I thought that maybe I had the nat-connection tracking wrong but
everywhere on the internet it is written like this:
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 161 -j LOG --log-prefix "DNAT: " --log-level 4
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 161 -j DNAT --to 192.168.4.2:161
iptables -A FORWARD -d 192.168.4.2 -p udp --dport 161 -j LOG --log-prefix "FWD: " --log-level 4
iptables -A FORWARD -d 192.168.4.2 -p udp --dport 161 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
eth0 is the interface to the world, eth1 to the internal system.
An example pcap trace file is at: https://vps001.vanheusden.com/~folkert/masq.pcap
Also dmesg says:
[Wed Sep 1 22:40:08 2021] DNAT: IN=eth0 OUT= MAC=52:54:00:65:21:38:0c:86:10:b5:91:e0:08:00 SRC=185.243.112.54 DST=37.34.63.177 LEN=66 TOS=0x00 PREC=0x00 TTL=55 ID=32612 DF PROTO=UDP SPT=39397 DPT=161 LEN=46
[Wed Sep 1 22:40:08 2021] FWD: IN=eth0 OUT=eth1 MAC=52:54:00:65:21:38:0c:86:10:b5:91:e0:08:00 SRC=185.243.112.54 DST=192.168.4.2 LEN=66 TOS=0x00 PREC=0x00 TTL=54 ID=32612 DF PROTO=UDP SPT=39397 DPT=161 LEN=46
[Wed Sep 1 22:40:08 2021] FWD: IN=eth0 OUT=eth1 MAC=52:54:00:65:21:38:0c:86:10:b5:91:e0:08:00 SRC=185.243.112.54 DST=192.168.4.2 LEN=67 TOS=0x00 PREC=0x00 TTL=54 ID=32613 DF PROTO=UDP SPT=39397 DPT=161 LEN=47
...
Notice that 'DNAT' is logged once while the FWD for each packet.
Any suggestions?
Powered by blists - more mailing lists