Jorge Salamero Sanz a écrit :
>
> i've a firewall with two routers as a multigw scenario. load balancing works
> but some packets go out from the wrong interface to the routers.
>
> routerA: 10.10.1.251 -> 10.10.1.1
> firewall: 192.168.1.1->LAN
> routerB: 10.10.2.251 -> 10.10.2.1
>
> i can see this wrong traffic with tcpdump on any of the routers, for example
> from routerA with tcpdump -i eth1 src 10.10.2.1 shows some traffic, like 1-5% of
> the connections.
>
> it's very weird that if i setup a rule on nat postrouting to log this packets
> going out with the wrong source o from the wrong interface, netfilter doesn't
> log anything but tcpdump still shows these packets.
The nat chains see only the first packet of a NEW connection, so it is
not the best place for logging. Try the mangle table instead.
Also, it appears that the routing policy is based on connection mark, so
it relies on connection tracking. I suspect that these packets are
considered in the INVALID state for whatever reason. When using
connection tracking or stateful NAT, a good practice is to DROP packets
in the INVALID state.
Could you provide a sample of these packets ?
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/4BAD1E37.4070707@plouf.fr.eu.org
No comments:
Post a Comment