[Bridge] Providing a local service on the bridge ? Problems with NAT.

Ludovic LANGE Sun, 10 Mar 2002 10:13:11 -0800

Hello,

First of all,  I'd like to apologize for the length of this mail. I 
intended to provide enough informations to explain my configuration, so 
that someone will have the ability to guide me.





I have a simple setup, in which the bridge is between an ADSL modem and 
a server :

+========+            +=========+            +==========+
+ ADSL   +------------+ BRIDGE  +------------+ SERVER   +
+========+            +=========+            +==========+
                  eth0   (br0)   eth1        212.11.36.175



I would like that the machine BRIDGE provide an HTTP service in lieu of 
the machine SERVER, in a kind of transparent way.

So I configured iptables the following way :

  iptables -t nat -A PREROUTING -i eth0 -d 212.11.36.175 -p tcp --dport 
80 -j REDIRECT

(Or, I also tried :
   iptables -t nat -A PREROUTING -i eth0 -d 212.11.36.175 -p tcp --dport 
80 -j DNAT --to-destination 192.168.1.3
Where 192.168.1.3 is the (only) IP address associated to 'br0'
)

Of course, it doesn't work, or else I wouldn't ask for help here =)


What I'd really like to know is how to diagnose such a problem, what are 
the tools and the probes I can use in such a case ?


Here are the tests I've done :


I already did the following to have some informations in the syslog :

iptables -t nat -A POSTROUTING -p tcp --dport 80 -j LOG --log-prefix 
"nat post "
iptables -t nat -I PREROUTING  -p tcp --dport 80 -j LOG --log-prefix 
"nat pre "
iptables -I FORWARD -p tcp --dport 80 -j LOG --log-prefix "forward "
iptables -A OUTPUT -p tcp --dport 80 -j LOG --log-prefix "output "
iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "input "




Whenever I try a connection from an external address, I get the following :


A - with a nat target (REDIRECT or DNAT)
========================================

Mar 10 19:44:41 mail kernel: nat pre IN=br0 PHYSIN=eth0 OUT= 
MAC=00:01:02:08:0e:f4:00:60:68:83:21:f8:08:00 SRC=217.151.0.130 
DST=212.11.36.175 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=49722 DF 
PROTO=TCP SPT=1692 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 10 19:44:41 mail kernel: input IN=br0 PHYSIN=eth0 OUT= 
MAC=00:02:b3:96:f1:19:00:60:68:83:21:f8:08:00 SRC=217.151.0.130 
DST=192.168.1.3 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=49722 DF PROTO=TCP 
SPT=1692 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 10 19:44:44 mail kernel: input IN=br0 PHYSIN=eth0 OUT= 
MAC=00:02:b3:96:f1:19:00:60:68:83:21:f8:08:00 SRC=217.151.0.130 
DST=192.168.1.3 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=49739 DF PROTO=TCP 
SPT=1692 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 10 19:44:50 mail kernel: input IN=br0 PHYSIN=eth0 OUT= 
MAC=00:02:b3:96:f1:19:00:60:68:83:21:f8:08:00 SRC=217.151.0.130 
DST=192.168.1.3 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=49753 DF PROTO=TCP 
SPT=1692 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0


A tcpdump on eth0 gives :
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0
19:44:41.517101 217.151.0.130.1692 > 212.11.36.175.http: S [tcp sum ok] 
423866529:423866529(0) win 16384 <mss 1360,nop,nop,sackOK> (DF) (ttl 
120, id 49722, len 48)
19:44:44.419592 217.151.0.130.1692 > 212.11.36.175.http: S [tcp sum ok] 
423866529:423866529(0) win 16384 <mss 1360,nop,nop,sackOK> (DF) (ttl 
120, id 49739, len 48)
19:44:50.425091 217.151.0.130.1692 > 212.11.36.175.http: S [tcp sum ok] 
423866529:423866529(0) win 16384 <mss 1360,nop,nop,sackOK> (DF) (ttl 
120, id 49753, len 48)





B - when I get rid of the nat target (REDIRECT or DNAT):
========================================================

I have the following (no http service provided on SERVER + a firewall 
DROPs packets on port 80) :

Mar 10 19:51:14 mail kernel: nat pre IN=br0 PHYSIN=eth0 OUT= 
MAC=00:01:02:08:0e:f4:00:60:68:83:21:f8:08:00 SRC=217.151.0.130 
DST=212.11.36.175 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=61789 DF 
PROTO=TCP SPT=1694 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 10 19:51:14 mail kernel: forward IN=br0 PHYSIN=eth0 OUT=br0 
PHYSOUT=eth1 SRC=217.151.0.130 DST=212.11.36.175 LEN=48 TOS=0x00 
PREC=0x00 TTL=120 ID=61789 DF PROTO=TCP SPT=1694 DPT=80 WINDOW=16384 
RES=0x00 SYN URGP=0
Mar 10 19:51:14 mail kernel: nat post IN= PHYSIN=eth0 OUT=br0 
PHYSOUT=eth1 SRC=217.151.0.130 DST=212.11.36.175 LEN=48 TOS=0x00 
PREC=0x00 TTL=120 ID=61789 DF PROTO=TCP SPT=1694 DPT=80 WINDOW=16384 
RES=0x00 SYN URGP=0
Mar 10 19:51:16 mail kernel: forward IN=br0 PHYSIN=eth0 OUT=br0 
PHYSOUT=eth1 SRC=217.151.0.130 DST=212.11.36.175 LEN=48 TOS=0x00 
PREC=0x00 TTL=120 ID=61838 DF PROTO=TCP SPT=1694 DPT=80 WINDOW=16384 
RES=0x00 SYN URGP=0
Mar 10 19:51:22 mail kernel: forward IN=br0 PHYSIN=eth0 OUT=br0 
PHYSOUT=eth1 SRC=217.151.0.130 DST=212.11.36.175 LEN=48 TOS=0x00 
PREC=0x00 TTL=120 ID=61863 DF PROTO=TCP SPT=1694 DPT=80 WINDOW=16384 
RES=0x00 SYN URGP=0


tcpdump :
tcpdump: WARNING: eth0: no IPv4 address assigned
tcpdump: listening on eth0
19:51:14.055261 217.151.0.130.1694 > 212.11.36.175.http: S [tcp sum ok] 
521961031:521961031(0) win 16384 <mss 1360,nop,nop,sackOK> (DF) (ttl 
120, id 61789, len 48)
19:51:16.985219 217.151.0.130.1694 > 212.11.36.175.http: S [tcp sum ok] 
521961031:521961031(0) win 16384 <mss 1360,nop,nop,sackOK> (DF) (ttl 
120, id 61838, len 48)
19:51:22.993479 217.151.0.130.1694 > 212.11.36.175.http: S [tcp sum ok] 
521961031:521961031(0) win 16384 <mss 1360,nop,nop,sackOK> (DF) (ttl 
120, id 61863, len 48)



It seems like my packets are silently dropped somewhere, for they never 
reach the HTTP server at 192.168.1.3 (which, by the way, is configured 
and works)

How can I have more informations about the (cruel) fate of these packets 
? What can I do ?




Configuration
=============


Machine is a pentium, running Linux 2.4.18 + 
bridge-nf-0.0.6-against-2.4.18.diff + 00_dont_listen_for_nostp.diff + 
00_br_dont_pass_indev_to_local_out_hook.diff

Apart from that problem, the bridge works Ok, and the netfilter seems 
also to work ok, because I can DROP / ACCEPT packets interface per 
interface, or accross bridges. Only the NAT seems not to work.

The iptable configuration is the following :

iptables -t nat -L -v
=====================

Chain PREROUTING (policy ACCEPT 75248 packets, 17M bytes)
 pkts bytes target     prot opt in     out     source               
destination
   29  1452 LOG        tcp  --  any    any     anywhere             
anywhere           tcp dpt:http LOG level warning prefix `nat pre '

Chain POSTROUTING (policy ACCEPT 6983 packets, 443K bytes)
 pkts bytes target     prot opt in     out     source               
destination
    8   444 LOG        tcp  --  any    any     anywhere             
anywhere           tcp dpt:http LOG level warning prefix `nat post '

Chain OUTPUT (policy ACCEPT 123 packets, 9018 bytes)
 pkts bytes target     prot opt in     out     source               
destination

iptables -L -v
==============

Chain INPUT (policy ACCEPT 212K packets, 34M bytes)
 pkts bytes target     prot opt in     out     source               
destination
   87  4385 LOG        tcp  --  any    any     anywhere             
anywhere           tcp dpt:http LOG level warning prefix `input '

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination
   44  5597 LOG        tcp  --  any    any     anywhere             
anywhere           tcp dpt:http LOG level warning prefix `forward '
57942 4157K ACCEPT     all  --  eth1   eth0    anywhere             anywhere
 1743  892K ACCEPT     all  --  eth2   eth3    anywhere             anywhere
 1349 81754 ACCEPT     all  --  eth3   eth2    anywhere             anywhere
18109 2819K ACCEPT     all  --  eth0   eth1    anywhere             anywhere
    0     0 LOG        tcp  --  any    any     anywhere             
anywhere           tcp dpt:http LOG level warning prefix `forward drop '

Chain OUTPUT (policy ACCEPT 227K packets, 46M bytes)
 pkts bytes target     prot opt in     out     source               
destination
    5   275 LOG        tcp  --  any    any     anywhere             
anywhere           tcp dpt:http LOG level warning prefix `output '


The machine has 4 NIC (eth0 -> eth3), and two bridges : br0=eth0+eth1, 
br1=eth2+eth3.

The NIC configuration is :

# ip link
=========

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
    link/ipip 0.0.0.0 brd 0.0.0.0
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop
    link/gre 0.0.0.0 brd 0.0.0.0
4: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
5: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
6: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
7: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
8: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 00:02:b3:96:f1:19 brd ff:ff:ff:ff:ff:ff
9: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:b3:99:8f:bb brd ff:ff:ff:ff:ff:ff
10: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 100
    link/ether 00:02:b3:96:f1:19 brd ff:ff:ff:ff:ff:ff
11: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 100
    link/ether 00:02:b3:96:f5:b7 brd ff:ff:ff:ff:ff:ff
12: eth3: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 100
    link/ether 00:02:b3:99:88:90 brd ff:ff:ff:ff:ff:ff
13: br1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 00:02:b3:96:f5:b7 brd ff:ff:ff:ff:ff:ff


# ip addr
=========

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop
    link/ipip 0.0.0.0 brd 0.0.0.0
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop
    link/gre 0.0.0.0 brd 0.0.0.0
4: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
5: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
6: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
7: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
8: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 00:02:b3:96:f1:19 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global br0
9: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:b3:99:8f:bb brd ff:ff:ff:ff:ff:ff
10: eth1: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 100
    link/ether 00:02:b3:96:f1:19 brd ff:ff:ff:ff:ff:ff
11: eth2: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 100
    link/ether 00:02:b3:96:f5:b7 brd ff:ff:ff:ff:ff:ff
12: eth3: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast 
qlen 100
    link/ether 00:02:b3:99:88:90 brd ff:ff:ff:ff:ff:ff
13: br1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 00:02:b3:96:f5:b7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.131.201/24 brd 192.168.131.255 scope global br1

# brctl showmacs br0
====================

port no mac addr                is local?       ageing timer
  2     00:01:02:08:0e:f4       no                18.21
  2     00:02:b3:96:f1:19       yes                0.00
  1     00:02:b3:99:8f:bb       yes                0.00
  1     00:60:68:82:21:f8       no               113.69
  1     00:60:68:83:21:f8       no                18.15

where :
00:01:02:08:0e:f4 is the NIC of SERVER ( 212.11.36.175)
00:60:68:82:21:f8 seems to be the MAC address of the ADSL modem, even if 
it looks like there are 2 very similar MAC (? but may not be a problem)




Thank you for having read this mail.

Best regards,

Ludovic LANGE




_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge

[Bridge] Providing a local service on the bridge ? Problems with NAT.

Reply via email to