|
List Info
Thread: Postrouting causes wrong src port with ipsec
|
|
| Postrouting causes wrong src port with
ipsec |
|
2006-03-22 08:52:43 |
Hello
I have a problem with postrouting and ipsec
when the post routing chain is empty everything works fine,
but when it's not empty the source port is modified on
received
packets !! ( Sending to port 80 gives a reply from port 1)
I have tried with all combinations of this two distro:s
Fedora 4 kernel 2.6.15-1.1831 running iptables v1.3.0
and Redhat ES 4 kernel 2.6.9-22 and iptables v1.2.11
and the result is the same. (It's a native ipsec26 stack
not KLIPS)
My postrouting chain looks like this:
Chain POSTROUTING (policy ACCEPT 7387 packets, 591K bytes)
pkts bytes target prot opt in out source
destination
257K 28M MASQUERADE all -- * eth0 0.0.0.0/0
!172.23.0.0/16
0 0 MASQUERADE tcp -- * eth0 0.0.0.0/0
0.0.0.0/0
1 56 MASQUERADE udp -- * eth0 0.0.0.0/0
0.0.0.0/0
client:
+-----------+
| 172.24.1.2| Http Client
+-----------+
| <- Tracepoint 1 (eth0)
+-------------+
|172.24.1.1 | eth0 Strongswan 2.6.2 runing:
|81.227.205.39| eth1 Linux version 2.6.9-22.EL
+-------------+
|
Internet
|
+--------------+
|213.204.187.40| eth2 Stronswan 2.6.2
|172.23.0.2 | eth0 Linux 2.6.15-1.1833_FC4
+--------------+
| <- Tracepoint 2 (eth0)
+-------------+
|172.23.0.254 | Router/FW
|172.23.1.254 | Clavister
+-------------+
|
+-------------+
|172.23.1.3 | http Server
+-------------+
->tcpdump in Tracepoint 2
00:13:22.533400 IP (tos 0x0, ttl 127, id 2541, offset 0,
flags [none],
proto 6, length: 75) 172.23.1.3.80 > 172.24.1.2.32871: P
[tcp sum ok]
1:24(23) ack 118 win 65418 <nop,nop,timestamp 42430074
1538753435>
0x0000: 4500 004b 09ed 0000 7f06 d78b ac17 0103
E..K............
0x0010: ac18 0102 0050 8067 be59 cca9 4935 c1b7
.....P.g.Y..I5..
0x0020: 8018 ff8a 98dd 0000 0101 080a 0287 6e7a
..............nz
0x0030: 5bb7 839b 4854 5450 2f31 2e30 2033 3032
[...HTTP/1.0.302
0x0040: 2052 6564 6972 6563 740d 0a
.Redirect..
->tcpdump in Tracepoint 1
00:13:22.544901 IP (tos 0x0, ttl 125, id 2541, offset 0,
flags [none],
proto 6, length: 75) 172.23.1.3.1 > 172.24.1.2.32871: P
[tcp sum ok]
3193556137:3193556160(23) ack 1228259767 win 65418
<nop,nop,timestamp
42430074 1538753435>
0x0000: 4500 004b 09ed 0000 7d06 d98b ac17 0103
E..K....}.......
0x0010: ac18 0102 0001 8067 be59 cca9 4935 c1b7
.......g.Y..I5..
0x0020: 8018 ff8a 992c 0000 0101 080a 0287 6e7a
.....,........nz
0x0030: 5bb7 839b 4854 5450 2f31 2e30 2033 3032
[...HTTP/1.0.302
0x0040: 2052 6564 6972 6563 740d 0a
.Redirect..
Regards
/Hans
|
|
| Postrouting causes wrong src port with
ipsec |
|
2006-03-22 13:40:57 |
Here are my potsrouting:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.1.0.0/16 10.3.0.0/16
MASQUERADE all -- 10.1.0.0/16 anywhere
10.1.0.0/16 is my LAN and 10.3.0.0 the remote over ipsec LAN
The ACCEPT roule prevent the MASQ.
LALO
On Wed, 2006-03-22 at 09:52 +0100, Hans Schillstrom wrote:
> Hello
> I have a problem with postrouting and ipsec
> when the post routing chain is empty everything works
fine,
> but when it's not empty the source port is modified on
received
> packets !! ( Sending to port 80 gives a reply from port
1)
>
> I have tried with all combinations of this two distro:s
> Fedora 4 kernel 2.6.15-1.1831 running iptables v1.3.0
> and Redhat ES 4 kernel 2.6.9-22 and iptables v1.2.11
> and the result is the same. (It's a native ipsec26
stack not KLIPS)
>
> My postrouting chain looks like this:
>
> Chain POSTROUTING (policy ACCEPT 7387 packets, 591K
bytes)
> pkts bytes target prot opt in out source
destination
> 257K 28M MASQUERADE all -- * eth0 0.0.0.0/0
!172.23.0.0/16
> 0 0 MASQUERADE tcp -- * eth0 0.0.0.0/0
0.0.0.0/0
> 1 56 MASQUERADE udp -- * eth0 0.0.0.0/0
0.0.0.0/0
>
>
> client:
> +-----------+
> | 172.24.1.2| Http Client
> +-----------+
> | <- Tracepoint 1 (eth0)
> +-------------+
> |172.24.1.1 | eth0 Strongswan 2.6.2 runing:
> |81.227.205.39| eth1 Linux version 2.6.9-22.EL
> +-------------+
> |
> Internet
> |
> +--------------+
> |213.204.187.40| eth2 Stronswan 2.6.2
> |172.23.0.2 | eth0 Linux 2.6.15-1.1833_FC4
> +--------------+
> | <- Tracepoint 2 (eth0)
> +-------------+
> |172.23.0.254 | Router/FW
> |172.23.1.254 | Clavister
> +-------------+
> |
> +-------------+
> |172.23.1.3 | http Server
> +-------------+
>
> ->tcpdump in Tracepoint 2
> 00:13:22.533400 IP (tos 0x0, ttl 127, id 2541, offset
0, flags [none],
> proto 6, length: 75) 172.23.1.3.80 >
172.24.1.2.32871: P [tcp sum ok]
> 1:24(23) ack 118 win 65418 <nop,nop,timestamp
42430074 1538753435>
> 0x0000: 4500 004b 09ed 0000 7f06 d78b ac17 0103
E..K............
> 0x0010: ac18 0102 0050 8067 be59 cca9 4935 c1b7
.....P.g.Y..I5..
> 0x0020: 8018 ff8a 98dd 0000 0101 080a 0287 6e7a
..............nz
> 0x0030: 5bb7 839b 4854 5450 2f31 2e30 2033 3032
[...HTTP/1.0.302
> 0x0040: 2052 6564 6972 6563 740d 0a
.Redirect..
>
> ->tcpdump in Tracepoint 1
> 00:13:22.544901 IP (tos 0x0, ttl 125, id 2541, offset
0, flags [none],
> proto 6, length: 75) 172.23.1.3.1 >
172.24.1.2.32871: P [tcp sum ok]
> 3193556137:3193556160(23) ack 1228259767 win 65418
<nop,nop,timestamp
> 42430074 1538753435>
> 0x0000: 4500 004b 09ed 0000 7d06 d98b ac17 0103
E..K....}.......
> 0x0010: ac18 0102 0001 8067 be59 cca9 4935 c1b7
.......g.Y..I5..
> 0x0020: 8018 ff8a 992c 0000 0101 080a 0287 6e7a
.....,........nz
> 0x0030: 5bb7 839b 4854 5450 2f31 2e30 2033 3032
[...HTTP/1.0.302
> 0x0040: 2052 6564 6972 6563 740d 0a
.Redirect..
>
> Regards
> /Hans
>
>
Este e-mail y cualquier posible archivo adjunto está
dirigido únicamente al destinatario del mensaje y contiene
información que puede ser confidencial. Si Ud. no es el
destinatario correcto por favor notifique al remitente
respondiendo este mensaje y elimine inmediatamente el e-mail
y los posibles archivos adjuntos al mismo de su sistema.
Está prohibida cualquier utilización, difusión o copia de
este e-mail por cualquier persona o entidad que no sean las
específicas destinatarias del mensaje. ANTEL no acepta
ninguna responsabilidad con respecto a cualquier
comunicación que haya sido emitida incumpliendo nuestra
Política de Seguridad de la Información.
. . . . . . . . .
This e-mail and any attachment is confidential and is
intended solely for the addressee(s). If you are not
intended recipient please inform the sender immediately,
answering this e-mail and delete it as well as the attached
files. Any use, circulation or copy of this e-mail by any
person or entity that is not the specific addressee(s) is
prohibited. ANTEL is not responsible for any communication
emitted without respecting our Information Security Policy.
|
|
| Postrouting causes wrong src port with
ipsec |
|
2006-03-23 17:14:58 |
Thank's a lot
A small change solved this problem,
From:
Chain POSTROUTING (policy ACCEPT 7387 packets, 591K bytes)
pkts bytes target prot opt in out source
destination
257K 28M MASQUERADE all -- * eth0 0.0.0.0/0
!172.23.0.0/16
To::
Chain POSTROUTING (policy ACCEPT 1423 packets, 126K bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * eth0 0.0.0.0/0
172.23.0.0/16
/Hans
On Wed, 2006-03-22 at 10:40 -0300, Eduardo Spremolla wrote:
> Here are my potsrouting:
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 10.1.0.0/16 10.3.0.0/16
> MASQUERADE all -- 10.1.0.0/16 anywhere
>
> 10.1.0.0/16 is my LAN and 10.3.0.0 the remote over
ipsec LAN
>
> The ACCEPT roule prevent the MASQ.
>
> LALO
>
> On Wed, 2006-03-22 at 09:52 +0100, Hans Schillstrom
wrote:
> > Hello
> > I have a problem with postrouting and ipsec
> > when the post routing chain is empty everything
works fine,
> > but when it's not empty the source port is
modified on received
> > packets !! ( Sending to port 80 gives a reply from
port 1)
> >
> > I have tried with all combinations of this two
distro:s
> > Fedora 4 kernel 2.6.15-1.1831 running iptables
v1.3.0
> > and Redhat ES 4 kernel 2.6.9-22 and iptables
v1.2.11
> > and the result is the same. (It's a native
ipsec26 stack not KLIPS)
> >
> > My postrouting chain looks like this:
> >
> > Chain POSTROUTING (policy ACCEPT 7387 packets,
591K bytes)
> > pkts bytes target prot opt in out source
destination
> > 257K 28M MASQUERADE all -- * eth0
0.0.0.0/0 !172.23.0.0/16
> > 0 0 MASQUERADE tcp -- * eth0
0.0.0.0/0 0.0.0.0/0
> > 1 56 MASQUERADE udp -- * eth0
0.0.0.0/0 0.0.0.0/0
> >
> >
> > client:
> > +-----------+
> > | 172.24.1.2| Http Client
> > +-----------+
> > | <- Tracepoint 1 (eth0)
> > +-------------+
> > |172.24.1.1 | eth0 Strongswan 2.6.2 runing:
> > |81.227.205.39| eth1 Linux version 2.6.9-22.EL
> > +-------------+
> > |
> > Internet
> > |
> > +--------------+
> > |213.204.187.40| eth2 Stronswan 2.6.2
> > |172.23.0.2 | eth0 Linux 2.6.15-1.1833_FC4
> > +--------------+
> > | <- Tracepoint 2 (eth0)
> > +-------------+
> > |172.23.0.254 | Router/FW
> > |172.23.1.254 | Clavister
> > +-------------+
> > |
> > +-------------+
> > |172.23.1.3 | http Server
> > +-------------+
> >
> > ->tcpdump in Tracepoint 2
> > 00:13:22.533400 IP (tos 0x0, ttl 127, id 2541,
offset 0, flags [none],
> > proto 6, length: 75) 172.23.1.3.80 >
172.24.1.2.32871: P [tcp sum ok]
> > 1:24(23) ack 118 win 65418 <nop,nop,timestamp
42430074 1538753435>
> > 0x0000: 4500 004b 09ed 0000 7f06 d78b ac17 0103
E..K............
> > 0x0010: ac18 0102 0050 8067 be59 cca9 4935 c1b7
.....P.g.Y..I5..
> > 0x0020: 8018 ff8a 98dd 0000 0101 080a 0287 6e7a
..............nz
> > 0x0030: 5bb7 839b 4854 5450 2f31 2e30 2033 3032
[...HTTP/1.0.302
> > 0x0040: 2052 6564 6972 6563 740d 0a
.Redirect..
> >
> > ->tcpdump in Tracepoint 1
> > 00:13:22.544901 IP (tos 0x0, ttl 125, id 2541,
offset 0, flags [none],
> > proto 6, length: 75) 172.23.1.3.1 >
172.24.1.2.32871: P [tcp sum ok]
> > 3193556137:3193556160(23) ack 1228259767 win 65418
<nop,nop,timestamp
> > 42430074 1538753435>
> > 0x0000: 4500 004b 09ed 0000 7d06 d98b ac17 0103
E..K....}.......
> > 0x0010: ac18 0102 0001 8067 be59 cca9 4935 c1b7
.......g.Y..I5..
> > 0x0020: 8018 ff8a 992c 0000 0101 080a 0287 6e7a
.....,........nz
> > 0x0030: 5bb7 839b 4854 5450 2f31 2e30 2033 3032
[...HTTP/1.0.302
> > 0x0040: 2052 6564 6972 6563 740d 0a
.Redirect..
> >
> > Regards
> > /Hans
> >
> >
>
>
> Este e-mail y cualquier posible archivo adjunto está
dirigido únicamente al destinatario del mensaje y contiene
información que puede ser confidencial. Si Ud. no es el
destinatario correcto por favor notifique al remitente
respondiendo este mensaje y elimine inmediatamente el e-mail
y los posibles archivos adjuntos al mismo de su sistema.
Está prohibida cualquier utilización, difusión o copia de
este e-mail por cualquier persona o entidad que no sean las
específicas destinatarias del mensaje. ANTEL no acepta
ninguna responsabilidad con respecto a cualquier
comunicación que haya sido emitida incumpliendo nuestra
Política de Seguridad de la Información.
> . . . . . . . . .
> This e-mail and any attachment is confidential and is
intended solely for the addressee(s). If you are not
intended recipient please inform the sender immediately,
answering this e-mail and delete it as well as the attached
files. Any use, circulation or copy of this e-mail by any
person or entity that is not the specific addressee(s) is
prohibited. ANTEL is not responsible for any communication
emitted without respecting our Information Security Policy.
|
|
[1-3]
|
|