Friday, March 26, 2010

Re: some packets going out from the wrong interface

On Friday 26 March 2010 21:51:03 Pascal Hambourg wrote:
> The nat chains see only the first packet of a NEW connection, so it is
> not the best place for logging. Try the mangle table instead.
>
> Also, it appears that the routing policy is based on connection mark, so
> it relies on connection tracking. I suspect that these packets are
> considered in the INVALID state for whatever reason. When using
> connection tracking or stateful NAT, a good practice is to DROP packets
> in the INVALID state.

Yes, I've added that and still the same:

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
state INVALID

And not log at all after adding:

iptables -t mangle -A POSTROUTING -o eth1 -s 10.10.2.1 -j LOG --log-prefix
"WRONG on eth1: "

iptables -t mangle -A POSTROUTING -o eth2 -s 10.10.1.1 -j LOG --log-prefix
"WRONG on eth2:

>
> Could you provide a sample of these packets ?
>

~# tcpdump -i eth1 -nnvvXSs 1514 src 10.10.1.1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1514
bytes
23:02:33.323385 IP (tos 0x0, ttl 63, id 18034, offset 0, flags [DF], proto TCP
(6), length 60) 10.10.1.1.49947 > 62.58.184.18.80: S, cksum 0xfb0b (correct),
3035347871:3035347871(0) win 5840 <mss 1460,sackOK,timestamp 4294901980
0,nop,wscale 1>
0x0000: 4500 003c 4672 4000 3f06 f3f2 0a0a 0101 E..<Fr@.?.......
0x0010: 3e3a b812 c31b 0050 b4eb bb9f 0000 0000 >:.....P........
0x0020: a002 16d0 fb0b 0000 0204 05b4 0402 080a ................
0x0030: ffff 00dc 0000 0000 0103 0301 ............
23:02:37.190769 IP (tos 0x0, ttl 63, id 43811, offset 0, flags [DF], proto TCP
(6), length 60) 10.10.1.1.55412 > 217.76.145.117.80: S, cksum 0xd98e
(correct), 3011137784:3011137784(0) win 5840 <mss 1460,sackOK,timestamp
4294902947 0,nop,wscale 1>
0x0000: 4500 003c ab23 4000 3f06 1acc 0a0a 0101 E..<.#@.?.......
0x0010: d94c 9175 d874 0050 b37a 50f8 0000 0000 .L.u.t.P.zP.....
0x0020: a002 16d0 d98e 0000 0204 05b4 0402 080a ................
0x0030: ffff 04a3 0000 0000 0103 0301 ............
23:02:39.322611 IP (tos 0x0, ttl 63, id 18035, offset 0, flags [DF], proto TCP
(6), length 60) 10.10.1.1.49947 > 62.58.184.18.80: S, cksum 0xf52f (correct),
3035347871:3035347871(0) win 5840 <mss 1460,sackOK,timestamp 4294903480
0,nop,wscale 1>
0x0000: 4500 003c 4673 4000 3f06 f3f1 0a0a 0101 E..<Fs@.?.......
0x0010: 3e3a b812 c31b 0050 b4eb bb9f 0000 0000 >:.....P........
0x0020: a002 16d0 f52f 0000 0204 05b4 0402 080a ...../..........
0x0030: ffff 06b8 0000 0000 0103 0301 ............


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/201003262305.13900.bencer@cauterized.net

No comments:

Post a Comment