Friday, March 26, 2010

some packets going out from the wrong interface

hi all,

i've a firewall with two routers as a multigw scenario. load balancing works
but some packets go out from the wrong interface to the routers.

routerA: 10.10.1.251 -> 10.10.1.1
firewall: 192.168.1.1->LAN
routerB: 10.10.2.251 -> 10.10.2.1

i can see this wrong traffic with tcpdump on any of the routers, for example
from routerA with tcpdump -i eth1 src 10.10.2.1 shows some traffic, like 1-5% of
the connections.

it's very weird that if i setup a rule on nat postrouting to log this packets
going out with the wrong source o from the wrong interface, netfilter doesn't
log anything but tcpdump still shows these packets.

this is my setup:

# ip rule ls
0: from all lookup local
32761: from all lookup main
32762: from all fwmark 0x8002 lookup 2
32763: from all fwmark 0x8001 lookup 1
32764: from 10.10.2.1/24 lookup 201
32765: from 10.10.1.1/24 lookup 200
32766: from all lookup main
32767: from all lookup default
# ip route ls table 1
10.10.2.0/24 dev eth2 proto kernel scope link src 10.10.2.1
192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.1
10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.1
# ip route ls table 201
default via 10.10.2.251 dev eth2 proto static src 10.10.2.1
prohibit default proto static metric 1
# ip route ls table 200
default via 10.10.1.251 dev eth1 proto static src 10.10.1.1
prohibit default proto static metric 1
# ip route ls table main
10.6.7.0/24 dev eth0 proto kernel scope link src 10.6.7.12
10.10.2.0/24 dev eth2 proto kernel scope link src 10.10.2.1
192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.1
10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.1
# ip route ls table default
default
nexthop via 10.10.1.251 dev eth1 weight 1
nexthop via 10.10.2.251 dev eth2 weight 2

and mangle:

Chain PREROUTING (policy ACCEPT 275K packets, 115M bytes)
pkts bytes target prot opt in out source
destination
3482 1002K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore
19 1534 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK match 0x0/0xff MAC DE:AD:BE:EF:00:99 MARK set 0x8001
44 2580 MARK all -- * * 0.0.0.0/0 0.0.0.0/0
MARK match 0x0/0xff MAC DE:AD:BE:EF:00:98 MARK set 0x8002
3482 1002K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK save

Chain INPUT (policy ACCEPT 15410 packets, 2339K bytes)
pkts bytes target prot opt in out source
destination

Chain FORWARD (policy ACCEPT 260K packets, 113M bytes)
pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 11892 packets, 2261K bytes)
pkts bytes target prot opt in out source
destination
914 142K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0
CONNMARK restore

do you know how to fix this ?

thanks!


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/201003262048.15634.bencer@cauterized.net

No comments:

Post a Comment