Re: [Shorewall-users] routeback to same interface

Fri, 13 Sep 2013 16:57:39 -0700 

On 9/13/2013 2:46 PM, İlker Aktuna wrote:
> Hi Guys,
> 
> I really help. I understand that this might not be a problem of Shorewall 
> (yet why not)

Let's look at this:

Here's the INPUT chain:

Chain PREROUTING (policy ACCEPT 89 packets, 5619 bytes)
 pkts bytes target     prot opt in     out     source
destination
 1960  210K dnat       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain dnat (1 references)
 pkts bytes target     prot opt in     out     source
destination
  336 30878 wan_dnat   all  --  ppp0   *       0.0.0.0/0
0.0.0.0/0
  508 54430 wan_dnat   all  --  ppp1   *       0.0.0.0/0
0.0.0.0/0
    0     0 wan_dnat   all  --  tun0   *       0.0.0.0/0
0.0.0.0/0
 1116  125K lan_dnat   all  --  br0    *       0.0.0.0/0
0.0.0.0/0  <=========

Chain lan_dnat (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:9306 to:192.168.254.21:80
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:9307 to:192.168.254.22:80
    6   312 ~log0      tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           [goto]  tcp dpt:9309 <======
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:9308 to:192.168.254.23:80

Chain ~log0 (1 references)
 pkts bytes target     prot opt in     out     source
destination
    6   312 ULOG       all  --  *      *       0.0.0.0/0
0.0.0.0/0            ULOG copy_range 0 nlgroup 1 prefix
"Shorewall:lan_dnat:DNAT:" queue_threshold 1 <==========
    6   312 DNAT       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            to:192.168.254.3:9309 <========

Looking at the rules marked with <====== together with the log messages
being generated, we know that 6 packets directed to TCP port 9309 were
redirected to IP address 192.168.254.3

Now let's look at the filter table:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
82850   62M accounting  all  --  *      *       0.0.0.0/0
0.0.0.0/0
 1365 71260 TCPMSS     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
 3578  452K ppp0_fwd   all  --  ppp0   *       0.0.0.0/0
0.0.0.0/0
 8067  819K ppp1_fwd   all  --  ppp1   *       0.0.0.0/0
0.0.0.0/0
    0     0 tun0_fwd   all  --  tun0   *       0.0.0.0/0
0.0.0.0/0
71205   60M lan_frwd   all  --  br0    *       0.0.0.0/0
0.0.0.0/0    <=========
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0
    0     0 eth2_fwd   all  --  eth2   *       0.0.0.0/0
0.0.0.0/0
    0     0 Reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0            LOG flags 0 level 6 prefix "Shorewall:FORWARD:REJECT:"
    0     0 reject     all  --  *      *       0.0.0.0/0
0.0.0.0/0           [goto]

Chain lan_frwd (1 references)
 pkts bytes target     prot opt in     out     source
destination
 1946  311K dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID,NEW
 4234  944K lan2wan    all  --  *      ppp0    0.0.0.0/0
0.0.0.0/0
10783 2861K lan2wan    all  --  *      ppp1    0.0.0.0/0
0.0.0.0/0
    0     0 lan2wan    all  --  *      tun0    0.0.0.0/0
0.0.0.0/0
56188   57M lan2lan    all  --  *      br0     0.0.0.0/0
0.0.0.0/0 <========
    0     0 lan2lanx   all  --  *      eth0    0.0.0.0/0
0.0.0.0/0
    0     0 lan2lanx   all  --  *      eth2    0.0.0.0/0
0.0.0.0/0

Chain lan2lan (1 references)
 pkts bytes target     prot opt in     out     source
destination
    1    60 TCPMSS     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcpflags: 0x06/0x02 tcpmss match 1452:65535 TCPMSS
set 1452
    1    60 TCPMSS     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcpflags: 0x06/0x02 tcpmss match 1452:65535 TCPMSS
set 1452
56160   57M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
192.168.254.21       tcp dpt:80 ctorigdstport 9306
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0  <====
192.168.254.22       tcp dpt:80 ctorigdstport 9307
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
192.168.254.3        tcp dpt:9309 ctorigdstport 9309
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
192.168.254.23       tcp dpt:80 ctorigdstport 9308
   28  6612 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0

If Netfilter had correctly rerouted the packet, it would have matched
the last marked rule. It didn't; from that I conclude that Netfilter is
not doing the right thing in this case.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to