lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 1 Sep 2021 22:42:04 +0200
From:   folkert <folkert@...heusden.com>
To:     netdev@...r.kernel.org
Subject: masquerading AFTER first packet

Hi,

I'm seeing something strange. I'm doing an snmpwalk on an snmp server of
mine (behing DNAT) , and after the first response it goes into a timeout.
I did a tcpdump and saw this:

1630528031.843264 IP 185.243.112.54.38377 > 37.34.63.177.161: GetNextRequest(23)  .1.3.6.1
1630528031.843924 IP 37.34.63.177.161 > 185.243.112.54.38377: GetResponse(34)  .1.3.6.1.2=0   <-- ok
1630528031.846950 IP 185.243.112.54.38377 > 37.34.63.177.161: GetNextRequest(24)  .1.3.6.1.2
1630528031.847415 IP 192.168.4.2.161 > 185.243.112.54.38377: GetResponse(35)  .1.3.6.1.2.1=0  <-- fail
1630528032.847649 IP 185.243.112.54.38377 > 37.34.63.177.161: GetNextRequest(24)  .1.3.6.1.2
1630528032.848081 IP 192.168.4.2.161 > 185.243.112.54.38377: GetResponse(35)  .1.3.6.1.2.1=0  <-- fail
...

What happens here: 192.168.4.2.161 is the snmp-server. It is
portforwarded by 37.34.63.177 and also masqueraded. All is fine for the
first request/response, after that as you see the internal ip address
is outputted (which is incorrect of course).

I thought that maybe I had the nat-connection tracking wrong but
everywhere on the internet it is written like this:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 161 -j LOG --log-prefix "DNAT: " --log-level 4                                    
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 161 -j DNAT --to 192.168.4.2:161                                                  
iptables -A FORWARD -d 192.168.4.2 -p udp --dport 161 -j LOG --log-prefix "FWD: " --log-level 4                                          
iptables -A FORWARD -d 192.168.4.2 -p udp --dport 161 -j ACCEPT      

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

eth0 is the interface to the world, eth1 to the internal system.
An example pcap trace file is at: https://vps001.vanheusden.com/~folkert/masq.pcap

Also dmesg says:

[Wed Sep  1 22:40:08 2021] DNAT: IN=eth0 OUT= MAC=52:54:00:65:21:38:0c:86:10:b5:91:e0:08:00 SRC=185.243.112.54 DST=37.34.63.177 LEN=66 TOS=0x00 PREC=0x00 TTL=55 ID=32612 DF PROTO=UDP SPT=39397 DPT=161 LEN=46 
[Wed Sep  1 22:40:08 2021] FWD: IN=eth0 OUT=eth1 MAC=52:54:00:65:21:38:0c:86:10:b5:91:e0:08:00 SRC=185.243.112.54 DST=192.168.4.2 LEN=66 TOS=0x00 PREC=0x00 TTL=54 ID=32612 DF PROTO=UDP SPT=39397 DPT=161 LEN=46 
[Wed Sep  1 22:40:08 2021] FWD: IN=eth0 OUT=eth1 MAC=52:54:00:65:21:38:0c:86:10:b5:91:e0:08:00 SRC=185.243.112.54 DST=192.168.4.2 LEN=67 TOS=0x00 PREC=0x00 TTL=54 ID=32613 DF PROTO=UDP SPT=39397 DPT=161 LEN=47 
...
Notice that 'DNAT' is logged once while the FWD for each packet.


Any suggestions?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ